CVE-2025-2486

Publication date 26 November 2025

Last updated 3 December 2025

Ubuntu priority

Description

The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
edk2	25.04 plucky	Fixed 2025.02-3ubuntu1
	24.10 oracular	Fixed 2024.05-2ubuntu0.3
	24.04 LTS noble	Fixed 2024.02-2ubuntu0.3
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected

Notes

mdeslaur

incomplete fix for CVE-2023-48733 In response to CVE-2023-48733, a different patch was backported to Jammy and Focal, that merely disables the Shell, but does not remove it, which did apply to AAVMF as well, hence only Noble, Oracular, and Plucky are vulnerable.

References

Other references

https://www.cve.org/CVERecord?id=CVE-2025-2486