CVE-2023-45236 — Sensitive Information Exposure in Edk2

CWE-200 — Sensitive Information Exposure CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator11 documents8 sources

Severity

7.5HIGHNVD

CNA5.8OSV7.4

EPSS

0.4%

top 40.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tianocore Edk2

Timeline

PublishedJan 16

Latest updateNov 28

Description

EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Debiantianocore/edk2< 2024.05-1+1

▶Ubuntutianocore/edk2< 2022.02-3ubuntu0.22.04.5+3

▶NVDtianocore/edk2202311

▶CVEListV5tianocore/edk2edk2-stable202308

🔴Vulnerability Details

OSV

edk2 regression↗2025-11-28

▶

OSV

edk2 vulnerabilities↗2025-11-26

▶

CVEList

Predictable TCP ISNs in EDK II Network Package↗2024-01-16

▶

GHSA

GHSA-fqc4-ffq5-4r98: EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number↗2024-01-16

▶

OSV

CVE-2023-45236: EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number↗2024-01-16

▶

📋Vendor Advisories

Ubuntu

EDK II regression↗2025-11-28

▶

Ubuntu

EDK II vulnerabilities↗2025-11-26

▶

Red Hat

edk2: Predictable TCP Initial Sequence Numbers↗2024-01-16

▶

Microsoft

Predictable TCP ISNs in EDK II Network Package↗2024-01-09

▶

Debian

CVE-2023-45236: edk2 - EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Numb...↗2023

▶