CVE-2025-2296

HIGH

TianoCore EDK2 BIOS - Local Input Validation Command Execution

Title source: manual

Description

EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability.

References (1)

Core 1

Core References

Vendor Advisory

https://github.com/tianocore/edk2/security/advisories/GHSA-6pp6-cm5h-86g5

Scores

CVSS v4 8.4

EPSS 0.0070

EPSS Percentile 48.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (1)

TianoCore/EDK2 < edk2-stable202502

Published Dec 09, 2025

Tracked Since Feb 18, 2026