🟠 High   ⏱ 15–60 min  Last verified: 25 May 2026
Affected versions: CentOS Stream 9

πŸ“– ~4 min read  β€’  Source: AlmaLinux/RHEL advisory ALSA-2024:2264

Related CVEs: CVE-2022-36763 CVE-2022-36764 CVE-2023-3446 CVE-2023-45229 CVE-2023-45231 CVE-2023-45232 CVE-2023-45233 CVE-2023-45235  +12 more

Upstream summary: EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.

Security Fix(es):

* edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message (CVE-2023-45235)
* EDK2: heap buffer overflow in Tcg2MeasureGptTable() (CVE-2022-36763)
* EDK2: heap buffer overflow in Tcg2MeasurePeImage() (CVE-2022-36764)
* edk2: Integer underflow when processing IA_NA/I

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

On CentOS Stream 9 hosts running edk2, operators report behaviour consistent with AlmaLinux/RHEL advisory ALSA-2024:2264: dnf refusing to install or restart affected services, SELinux AVC denials in /var/log/audit/audit.log, and β€” for security-rated advisories β€” exposure to the vulnerability set above. In production estates the visible impact ranges from a single service restart to wider availability incidents whenever edk2 sits on the serving path.

Environment & Reproduction

Reproduction targets CentOS Stream 9. Confirm release with cat /etc/centos-release and cat /etc/os-release, and the currently installed package with rpm -q edk2. Capture system state with sosreport --batch -k crio.all=on if you need an evidence bundle for a vendor support case. Trigger the workflow that exposes edk2 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide while collecting journalctl -b, dnf history, and rpm -qa output.

Root Cause Analysis

Root cause is documented in AlmaLinux/RHEL advisory ALSA-2024:2264. Upstream maintainers shipped fixes in the corresponding edk2 update for CentOS Stream 9; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate journalctl --since timestamps with dnf history entries and any SELinux denials in /var/log/audit/audit.log (or ausearch -m AVC,USER_AVC -ts recent) to isolate the originating change.

Quick Triage

Quick triage: run systemctl status edk2, journalctl -u edk2 -n 200, dnf check-update --security, dnf updateinfo list cves, firewall-cmd --list-all, and getenforce. If SELinux is enforcing, capture ausearch -m AVC -ts recent to surface denials linked to edk2 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide.

Step-by-Step Diagnosis

1) Confirm symptom with systemctl --failed. 2) Inspect logs: journalctl -xe and journalctl -u edk2. 3) Validate firewall: firewall-cmd --list-all-zones. 4) Check SELinux: getenforce, sestatus, ausearch -m AVC,USER_AVC -ts recent. 5) Verify package integrity: rpm -V edk2 and dnf reinstall edk2. 6) Correlate findings with dnf history, /var/log/dnf.log, and AlmaLinux/RHEL advisory ALSA-2024:2264 to pin the change that introduced edk2 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide.

Solution – Primary Fix

Primary fix for edk2 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide: apply the corrective dnf transaction described in AlmaLinux/RHEL advisory ALSA-2024:2264, reload the affected systemd unit, and reconcile firewalld and SELinux state. Typical commands: sudo dnf -y makecache, sudo dnf -y upgrade --security or sudo dnf -y upgrade edk2, sudo systemctl daemon-reload, sudo systemctl restart edk2, then rpm -q edk2 to validate the new build is installed. For kernel advisories add sudo systemctl reboot or apply kpatch-dnf live patches where covered by your subscription.

Need help rolling this patch across a CentOS Stream fleet? Our IT Solutions & Services team manages CentOS / RHEL patch windows with zero-downtime change controls. Get in touch for a free consultation.

Solution – Alternative Approaches

Alternatives include rolling back the offending transaction with sudo dnf history undo <id>, version-locking the package via sudo dnf install python3-dnf-plugin-versionlock then sudo dnf versionlock add edk2, switching firewalld backends between nftables and iptables in /etc/firewalld/firewalld.conf, switching SELinux to permissive temporarily with sudo setenforce 0 to confirm policy is the cause before authoring a custom policy module via audit2allow. Where kpatch is licensed, kpatch list and kpatch load apply kernel fixes without reboot.

Verification & Acceptance Criteria

Acceptance: rpm -q edk2 shows the expected fixed version, systemctl is-active edk2 returns active, journalctl -u edk2 --since "5 minutes ago" shows no errors, dnf updateinfo list cves --installed no longer lists the CVEs above, firewall-cmd --list-services includes the required services, getenforce reports the intended mode, and the original reproduction steps for edk2 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide no longer trigger the failure across two consecutive runs.

Rollback Plan

Capture state with dnf history list, rpm -qa > /root/rpm-pre.txt, and where available lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv> for an LVM snapshot. To revert, run sudo dnf history undo <id> (or sudo dnf install --allowerasing edk2-<old-version>) and reload systemctl daemon-reload. Remove custom SELinux modules with sudo semodule -r <module>. Reboot if the kernel or initramfs was changed and re-verify symptoms.

Prevention & Hardening

Prevent recurrence by enabling dnf-automatic with upgrade_type = security in /etc/dnf/automatic.conf, subscribing to centos-announce / rhsa-announce, mirroring through a local Pulp / Foreman / Spacewalk-style repo for controlled rollouts, version-locking sensitive packages, and monitoring file integrity with aide --check. Apply CIS CentOS Stream 9 hardening, keep SELinux enforcing, and where supported enable kpatch live patching so future advisories like this can be remediated without reboot.

Related issues that commonly surface alongside edk2 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide: dnf transaction lock contention, systemd unit ordering cycles, SELinux AVC denials in journalctl -k, firewalld zone drift, and kernel taint flags shown by cat /proc/sys/kernel/tainted. See sibling common-problem articles in this CentOS Stream 9 series for adjacent failure modes.

View all centos-stream-9 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: AlmaLinux/RHEL advisory ALSA-2024:2264. Supporting docs: Red Hat / CentOS Stream Administration Guide, man dnf, man systemctl, man firewall-cmd, man semanage, man audit2allow, man journalctl, the Red Hat CVE database at access.redhat.com/security/cve/, and the kpatch documentation. Review /usr/share/doc/edk2/ for component-level notes implicated in edk2 β€” multiple vulnerabilities (20 CVEs) β€” patch and remediation guide.