Vulnerability DatabaseCVE-2025-2295

CVE-2025-2295:
Linux Debian vulnerability analysis and mitigation

Overview

EDK2 contains a vulnerability in BIOS (CVE-2025-2295) discovered on March 14, 2025, where a user may cause an Integer Overflow or Wraparound by network means. The vulnerability affects the iSCSI DXE component in EDK2's NetworkPkg (NVD, GitHub Advisory).

Technical details

The vulnerability exists in the NetworkPkg/IScsiDxe component where a malicious iSCSI target can trigger an integer overflow through specially crafted R2T (Ready To Transfer) messages. The issue occurs in the IScsiOnR2TRcvd function when processing R2T PDUs, where the BufferOffset and DesiredDataTransferLength values from the R2T header can cause an integer overflow, bypassing input validation. The CVSS v3.1 base score is 3.5 (LOW) with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L (GitHub Advisory).

Impact

When successfully exploited, this vulnerability can lead to remote memory exposure where out-of-bounds memory contents can be copied into response PDUs and transmitted to the iSCSI target, resulting in potential information disclosure and denial of service (GitHub Advisory).

Mitigation and workarounds

The vulnerability affects EDK2 versions up to and including 202502. As of the advisory publication, no patched versions have been released (GitHub Advisory).