UEFI Firmware Vulnerability in Ubuntu Affects Secure Boot Configurations
CVE-2025-2486

3.7LOW

Key Information:

Vendor: Ubuntu
Status: Edk2
Vendor: CVE Published:; 26 November 2025

What is CVE-2025-2486?

The Ubuntu edk2 UEFI firmware packages introduced a vulnerability that inadvertently enabled access to the UEFI Shell within Secure Boot environments. This flaw can lead to a potential bypass of Secure Boot constraints by allowing unauthorized operations. Although versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 have implemented changes to disable the Shell, earlier releases incorporated a secure-boot-centric decision mechanism that was deemed insufficient for maintaining Secure Boot restrictions. This serves as an additional remediation alongside the incomplete resolution initially addressed for a previous vulnerability.

Affected Version(s)

edk2 aarch64 2024.05 < 2024.05-2ubuntu0.3

edk2 aarch64 2024.02 < 2024.02-2ubuntu0.3

References

https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797

CVSS V4

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 26, 2025
Vulnerability Reserved
Mar 18, 2025

Credit

Dann Frazier

JSON