An update for edk2 is now available for openEuler-24.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1662 Final 1.0 1.0 2026-03-20 Initial 2026-03-20 2026-03-20 openEuler SA Tool V1.0 2026-03-20 edk2 security update An update for edk2 is now available for openEuler-24.03-LTS-SP2 EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. Security Fix(es): Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.(CVE-2025-69419) An update for edk2 is now available for openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High edk2 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1662 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-69419 https://nvd.nist.gov/vuln/detail/CVE-2025-69419 openEuler-24.03-LTS-SP2 edk2-202308-31.oe2403sp2.src.rpm edk2-aarch64-202308-31.oe2403sp2.noarch.rpm edk2-help-202308-31.oe2403sp2.noarch.rpm edk2-ovmf-202308-31.oe2403sp2.noarch.rpm python3-edk2-devel-202308-31.oe2403sp2.noarch.rpm edk2-debuginfo-202308-31.oe2403sp2.aarch64.rpm edk2-debugsource-202308-31.oe2403sp2.aarch64.rpm edk2-devel-202308-31.oe2403sp2.aarch64.rpm edk2-debuginfo-202308-31.oe2403sp2.x86_64.rpm edk2-debugsource-202308-31.oe2403sp2.x86_64.rpm edk2-devel-202308-31.oe2403sp2.x86_64.rpm Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. 2026-03-20 CVE-2025-69419 openEuler-24.03-LTS-SP2 High 7.4 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N edk2 security update 2026-03-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1662