CVE-2025-2486

Publication date 28 April 2025

Last updated 28 April 2025

Ubuntu priority

Why this priority?

Description

built-in shell still present in AAVMF secboot image

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
edk2	25.04 plucky	Fixed 2025.02-3ubuntu1
	24.10 oracular	Fixed 2024.05-2ubuntu0.3
	24.04 LTS noble	Fixed 2024.02-2ubuntu0.3
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

incomplete fix for CVE-2023-48733 In response to CVE-2023-48733, a different patch was backported to Jammy and Focal, that merely disables the Shell, but does not remove it, which did apply to AAVMF as well, hence only Noble, Oracular, and Plucky are vulnerable.

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2025-2486