There are 9 open security issues in buster.
3 important issues:
A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.
Heap Overflow in BaseBmpSupportLib.
Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.
6 issues left for the package maintainer to handle:
Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.
An unlimited recursion in DxeCore in EDK II.
A heap overflow in LzmaUefiDecompressGetInfo function in EDK II.
BootPerformanceTable pointer is read from an NVRAM variable in PEI. Recommend setting PcdFirmwarePerformanceDataTableS3Support to FALSE.
NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.
You can find information about how to handle these issues in the security team's documentation.