CVE-2023-48733
Publication date 14 February 2024
Last updated 19 August 2025
Ubuntu priority
Description
An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| edk2 | 25.10 questing |
Fixed 2023.11-7
|
| 25.04 plucky |
Fixed 2023.11-7
|
|
| 24.04 LTS noble |
Fixed 2023.11-7
|
|
| 22.04 LTS jammy |
Fixed 2022.02-3ubuntu0.22.04.2
|
|
| 20.04 LTS focal |
Fixed 0~20191122.bd85bf54-2ubuntu3.5
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.7 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6638-1
- EDK II vulnerabilities
- 15 February 2024