CVE-2023-45229

Publication date 16 January 2024

Last updated 24 October 2025

Ubuntu priority

Cvss 3 Severity Score

Description

EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
edk2	25.10 questing	Not affected
	25.04 plucky	Not affected
	24.10 oracular	Not affected
	24.04 LTS noble	Not affected
	23.10 mantic	Ignored end of life, was needed
	23.04 lunar	Ignored end of life, was needs-triage
	22.04 LTS jammy	Fixed 2022.02-3ubuntu0.22.04.2
	20.04 LTS focal	Vulnerable
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Ignored end of standard support

Notes

eslerm

"exposure is limited to PXE boot or HTTP boot" patchset available in bug 4518, but not in repo (until Feb-24) fix and unit test commit id likely 9613e15be77 and ac0130907b8

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
edk2	Upstream: 1dbb10c Upstream: 1c440a5 Upstream: 0736276

Severity score breakdown

Parameter	Value
Base score	6.5 · Medium
Attack vector	Adjacent
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N