CVE-2023-45236
Advisory lineage Upstream: 0 Downstream: 13
Modified
Published: 16 Jan 2024, 16:10
Last modified:04 Nov 2025, 18:17
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.41% LOW
0% probability +0.03%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
16 Jan 2024, 16:10
Published
Vulnerability first disclosed
04 Nov 2025, 18:17
Last Modified
Vulnerability information updated
Description
EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Trends
Current EPSS score: 0.41%• Percentile: 62%
Techniques & Countermeasures
- CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-338•Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Affected Systems
- tianocore•edk2
edk2-stable202308 | ≤ 202311