ELSA-2026-18465

ELSA-2026-18465 - edk2 security update

Type:SECURITY
Impact:IMPORTANT
Release Date:2026-07-08

Description


[20251114-5.0.1]
- Replace upstream references [Orabug:36569119]

[20251114-5]
- edk2-add-uefi-vars-firmware-json-files.patch [RHEL-150696]
- Resolves: RHEL-150696
(edk2: Add JSON descriptors for uefi-vars builds)

[20251114-4]
- edk2-OvmfPkg-X86QemuLoadImageLib-flip-default-for-EnableL.patch [RHEL-134956]
- edk2-update-openssl-rhel-submodule.patch [RHEL-147785]
- edk2-update-openssl-rhel-tarball.patch [RHEL-147785]
- Resolves: RHEL-134956
(CVE-2025-2296 edk2: EDK2: Improper Input Validation allows arbitrary command execution [rhel-10.2])
- Resolves: RHEL-147785
([edk2] pick up openssl updates)

[20251114-3]
- edk2-OvmfPkg-AmdSev-add-memory-debug-log-support.patch [RHEL-139470]
- edk2-OvmfPkg-MemDebugLogPeiLib-drop-duplicate-MemDebugLog.patch [RHEL-139470]
- edk2-OvmfPkg-MemDebugLogPeiCoreLib-enable-for-PEIMs.patch [RHEL-139470]
- edk2-ArmVirtPkg-use-MemDebugLogPeiCoreLib-for-PEIMs.patch [RHEL-139470]
- edk2-OvmfPkg-use-MemDebugLogPeiCoreLib-for-PEIMs.patch [RHEL-139470]
- Resolves: RHEL-139470
(Enable memory debug logging support in firmware image configs)

[20251114-2]
- edk2-ArmPkg-UefiCpuPkg-Fix-boot-failure-on-FEAT_LPA-only-.patch [RHEL-138335]
- Resolves: RHEL-138335
([AmpereoneX] ArmConfigureMmu: The MaxAddress 0xFFFFFFFFFFFFF is not supported by this MMU configuration)

[20251114-1]
- Rebase to edk2-stable202511 [RHEL-118386]
- Resolves: RHEL-118386
([edk2,rhel-10] rebase to edk2-stable202511)

[20250822-4]
- edk2-make-dbxupdate.sh-get-version-tag-add-to-commit-mess.patch [RHEL-126085]
- edk2-update-dbx-to-20251016-v1.6.1.patch [RHEL-126085]
- Resolves: RHEL-126085
([edk2,rhel-10] dbx update to 20251016 / v1.6.1)

[20250822-3]
- edk2-Bumped-OpenSSL-to-3.5.1-6.patch [RHEL-115880]
- Resolves: RHEL-115880
(CVE-2025-9230 edk2: Out-of-bounds read & write in RFC 3211 KEK Unwrap [rhel-10.2])

[20250822-2]
- edk2-add-DBXUpdate-20250610.aa64.bin.patch [RHEL-109548]
- Resolves: RHEL-109548
([aarch64][edk2] missing DBXUpdate-.aa64.bin)

[20250822-1]
- Rebase to edk2-stable202508 [RHEL-111718]
- Resolves: RHEL-111718
([edk2,rhel-10] rebase to edk2-stable202508)


Related CVEs


CVE-2025-2296

Updated Packages


Release/ArchitectureFilenamesha256Superseded By AdvisoryChannel Label
Oracle Linux 10 (aarch64) edk2-20251114-5.0.1.el10_2.src.rpm6d7d4e9acfc43ae38da3c6997ca6883efc58e8c4b9047f6ee46270b36468fc03-ol10_aarch64_appstream
edk2-20251114-5.0.1.el10_2.src.rpm6d7d4e9acfc43ae38da3c6997ca6883efc58e8c4b9047f6ee46270b36468fc03-ol10_aarch64_codeready_builder
edk2-aarch64-20251114-5.0.1.el10_2.noarch.rpme1fe9b38151321134096a1a4344cd19e5d4fb783909bd0ff56db11245981c1da-ol10_aarch64_appstream
edk2-ovmf-20251114-5.0.1.el10_2.noarch.rpmc8718068b85d8e80a062154f70e6338e80bd4b59104fc9a93df72f5705a2c341-ol10_aarch64_codeready_builder
edk2-tools-20251114-5.0.1.el10_2.aarch64.rpmed3d3f8dcc70dc97d47e1df0eb8ac59de8a83927bc64401a532d01e20bf3290e-ol10_aarch64_codeready_builder
edk2-tools-doc-20251114-5.0.1.el10_2.noarch.rpmcef36d222ca8710c3180fbbbc43d92ad632c7442ed53e5e8eb35f1865e79681c-ol10_aarch64_codeready_builder
Oracle Linux 10 (x86_64) edk2-20251114-5.0.1.el10_2.src.rpm6d7d4e9acfc43ae38da3c6997ca6883efc58e8c4b9047f6ee46270b36468fc03-ol10_x86_64_appstream
edk2-20251114-5.0.1.el10_2.src.rpm6d7d4e9acfc43ae38da3c6997ca6883efc58e8c4b9047f6ee46270b36468fc03-ol10_x86_64_codeready_builder
edk2-aarch64-20251114-5.0.1.el10_2.noarch.rpme1fe9b38151321134096a1a4344cd19e5d4fb783909bd0ff56db11245981c1da-ol10_x86_64_codeready_builder
edk2-ovmf-20251114-5.0.1.el10_2.noarch.rpmc8718068b85d8e80a062154f70e6338e80bd4b59104fc9a93df72f5705a2c341-ol10_x86_64_appstream
edk2-tools-20251114-5.0.1.el10_2.x86_64.rpmcd3e69e55615d3d3486dff1e9f9f5ead49b1e5a3bc70320762c5fc541a4df13a-ol10_x86_64_codeready_builder
edk2-tools-doc-20251114-5.0.1.el10_2.noarch.rpmcef36d222ca8710c3180fbbbc43d92ad632c7442ed53e5e8eb35f1865e79681c-ol10_x86_64_codeready_builder



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete