CVE-2025-2486

EUVD-2025-199745

26.11.2025, 18:15

The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Ubuntu Releases

Ubuntu Product

Codename

edk2

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	Fixed 2024.02-2ubuntu0.3 released
oracular	Fixed 2024.05-2ubuntu0.3 released
plucky	Fixed 2025.02-3ubuntu1 released
xenial	not-affected

Common Weakness Enumeration

CWE-489 - Active Debug Code
The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

References

https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797