CVE-2023-45236
Publication date 16 January 2024
Last updated 16 January 2026
Ubuntu priority
Description
EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| edk2 | 25.10 questing |
Not affected
|
| 24.04 LTS noble | Ignored see notes | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored end of standard support, was needed | |
| 18.04 LTS bionic | Ignored end of standard support | |
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support |
Notes
mdeslaur
This CVE was originally fixed by USN-7894-1, but it introduced a regression in network boot and was reverted by USN-7894-2. The fix for this issue results in a behavioural change that requires guests to have a random network generator (virtio-rng). Since this is a behavioural change, we are not able to fix this CVE in stable releases. Marking as ignored.
Patch details
| Package | Patch details |
|---|---|
| edk2 |
|
Severity score breakdown
CVSS version: CVSS v3.0
Base score
5.8 · Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
References
Related Ubuntu Security Notices (USN)
- USN-7894-1
- EDK II vulnerabilities
- 26 November 2025