Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-2486

The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

Published

2025-11-26T18:15:48.357

Last Modified

2025-12-19T16:31:04.217

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Secondary
CWE-489

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	tianocore	edk2	202402*	Yes
Application	tianocore	edk2	202405	Yes

References

https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797 Third Party Advisory, Patch ([email protected])