CVE-2024-38798 MEDIUM

CVE-2024-38798: Uncleared password keystrokes in circular queue can lead to information disclosure or escalation of privilege

Vendor Tianocore
Product EDK2
Weakness CWE-200 · Info exposure
Published December 9, 2025
Last update December 9, 2025

CVSS base score

5.8/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L

What the vulnerability does

01Description

EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to possible information disclosure or escalation of privilege and impact Confidentiality.

Key dates

02Disclosure timeline

December 9, 2025 CVE published
December 9, 2025 Record updated