An update for edk2 is now available for openEuler-22.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2775 Final 1.0 1.0 2026-06-24 Initial 2026-06-24 2026-06-24 openEuler SA Tool V1.0 2026-06-24 edk2 security update An update for edk2 is now available for openEuler-22.03-LTS-SP4 EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. Security Fix(es): EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service.(CVE-2025-2295) Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.(CVE-2026-9076) An update for edk2 is now available for openEuler-22.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High edk2 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2775 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-2295 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-9076 https://nvd.nist.gov/vuln/detail/CVE-2025-2295 https://nvd.nist.gov/vuln/detail/CVE-2026-9076 openEuler-22.03-LTS-SP4 edk2-202011-34.oe2203sp4.src.rpm edk2-aarch64-202011-34.oe2203sp4.noarch.rpm edk2-help-202011-34.oe2203sp4.noarch.rpm edk2-ovmf-202011-34.oe2203sp4.noarch.rpm python3-edk2-devel-202011-34.oe2203sp4.noarch.rpm edk2-debuginfo-202011-34.oe2203sp4.aarch64.rpm edk2-debugsource-202011-34.oe2203sp4.aarch64.rpm edk2-devel-202011-34.oe2203sp4.aarch64.rpm edk2-debuginfo-202011-34.oe2203sp4.x86_64.rpm edk2-debugsource-202011-34.oe2203sp4.x86_64.rpm edk2-devel-202011-34.oe2203sp4.x86_64.rpm EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service. 2026-06-24 CVE-2025-2295 openEuler-22.03-LTS-SP4 Low 3.5 AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L edk2 security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2775 Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue. 2026-06-24 CVE-2026-9076 openEuler-22.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H edk2 security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2775