CVE-2025-2486

26.11.2025, 18:15

The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
canonical	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Ubuntu Releases

Ubuntu Product

Codename

edk2

plucky	Fixed 2025.02-3ubuntu1 released
oracular	Fixed 2024.05-2ubuntu0.3 released
noble	Fixed 2024.02-2ubuntu0.3 released
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected

Common Weakness Enumeration

CWE-489 - Active Debug Code
The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

References

https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797