CVE-2025-2296
published 2025-12-09CVE-2025-2296: EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. Successful exploitation of this vulnerability…
high8.4CVSS 4.0
AVNACLATNPRHUINVCLVIHVALSCLSIHSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | edk2 | < edk2 2025.02-1 (forky) | edk2 2025.02-1 (forky) |
| msrc | azl3_edk2_20240524git3e722403cd16-10_on_azure_linux_3.0 | — | — |
| msrc | azl3_qemu_8.2.0-25_on_azure_linux_3.0 | — | — |
| msrc | cbl2_edk2_20230301gitf80f052277c8-43_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_hvloader_1.0.1-14_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_qemu_6.2.0-26_on_cbl_mariner_2.0 | — | — |
| tianocore | edk2 | < edk2-stable202502 | edk2-stable202502 |
| tianocore | edk2 | >= 0 < 2025.02-1 | 2025.02-1 |
| tianocore | edk2 | >= 0 < 2025.02-1 | 2025.02-1 |
CVSS provenance
nvdv4.08.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.4HIGH