Insyde
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Insyde product.
RSS Feeds for Insyde security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Insyde products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Insyde Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Insyde. Last year, in 2025 Insyde had 5 security vulnerabilities published. Right now, Insyde is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 5 | 0.00 |
| 2024 | 5 | 0.00 |
| 2023 | 31 | 7.02 |
| 2022 | 57 | 7.42 |
| 2021 | 3 | 8.10 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 0.00 |
It may take a day or so for new Insyde vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Insyde Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2024-52877 | May 15, 2025 |
InsydeH2O Kernel VarRuntimeDxe Buffer Over-Read <05.70.50An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, callback function SmmCreateVariableLockList () calls CreateVariableLockListInSmm (). In CreateVariableLockListInSmm (), it uses StrSize () to get variable name size and it could lead to a buffer over-read. |
Insydeh2o
|
| CVE-2024-52878 | May 15, 2025 |
Buffer Over-Read in InsydeH2O Kernel <05.29.50 VariableRuntimeDxe – CVE-2024-52878An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, VariableServicesSetVariable () can be called by gRT_>SetVariable () or the SmmSetSensitiveVariable () or SmmInternalSetVariable () from SMM. In VariableServicesSetVariable (), it uses StrSize () to get variable name size, uses StrLen () to get variable name length and uses StrCmp () to compare strings. These actions may cause a buffer over-read. |
Insydeh2o
|
| CVE-2024-52879 | May 15, 2025 |
InsydeH2O Kernel SMM OOB Before 05.70.50An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, SmmUpdateVariablePropertySmi () is a SMM callback function and it uses StrCmp () to compare variable names. This action may cause a buffer over-read. |
Insydeh2o
|
| CVE-2024-52880 | May 15, 2025 |
Untrusted Input in SecureBootHandler of Insyde InsydeH2O kernel before 05.29.50An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, SecureBootHandler uses DataSize and VariableNameSize when determining if the data or name are in the buffer, but these are supplied by the caller and therefore cannot be trusted. |
Kernel
Insydeh2o
|
| CVE-2024-49200 | Apr 15, 2025 |
InsydeH2O DXE Memory Corruption in AcpiS3/CSvcDxe (Kern 5.x)An issue was discovered in AcpiS3SaveDxe and ChipsetSvcDxe in Insyde InsydeH2O with kernel 5.2 though 5.7. A potential DXE memory corruption vulnerability has been identified. The root cause is use of a pointer originating from the value of an NVRAM variable as the target of a write operation. This can be leveraged by an attacker to perform arbitrary writes, potentially leading to arbitrary code execution. The issue has been fixed in kernel 5.2, Version 05.29.44; kernel 5.3, Version 05.38.44; kernel 5.4, Version 05.46.44; kernel 5.5, Version 05.54.44; kernel 5.6, Version 05.61.44; and kernel 5.7, Version 05.70.44. |
Kernel
Insydeh2o
|
| CVE-2024-27353 | May 15, 2024 |
InsydeH2O Kernel MemCorrupt in SdHost/SdMmcDevice <5.6-05.61.09 (CVE-2024-27353)A memory corruption vulnerability in SdHost and SdMmcDevice in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6 before 05.61.09 could lead to escalating privileges in SMM. |
Insydeh2o
|
| CVE-2024-25079 | May 15, 2024 |
MemCrc in InsydeH2O HddPassword (kernel 5.x <05.61.09) SMM Priv EscA memory corruption vulnerability in HddPassword in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6 before 05.61.09 could lead to escalating privileges in SMM. |
Insydeh2o
|
| CVE-2024-25078 | May 15, 2024 |
StorageSecurityCommandDxe Memory Corruption InsydeH2O Kernel <5.2 Priv EscA memory corruption vulnerability in StorageSecurityCommandDxe in Insyde InsydeH2O before kernel 5.2: IB19130163 in 05.29.07, kernel 5.3: IB19130163 in 05.38.07, kernel 5.4: IB19130163 in 05.46.07, kernel 5.5: IB19130163 in 05.54.07, and kernel 5.6: IB19130163 in 05.61.07 could lead to escalating privileges in SMM. |
Kernel
Insydeh2o
|
| CVE-2023-47252 | Apr 26, 2024 |
InsydeH2O PnpSmm OOB in SMM Comm Buffer (k5.0-5.6) Fixed in 5.2+An issue was discovered in PnpSmm in Insyde InsydeH2O with kernel 5.0 through 5.6. There is a possible out-of-bounds access in the SMM communication buffer, leading to tampering. The PNP-related SMI sub-functions do not verify data size before getting it from the communication buffer, which could lead to possible circumstances where the data immediately following the command buffer could be destroyed with a fixed value. This is fixed in kernel 5.2 v05.28.45, kernel 5.3 v05.37.45, kernel 5.4 v05.45.45, kernel 5.5 v05.53.45, and kernel 5.6 v05.60.45. |
Kernel
Insydeh2o
|
| CVE-2022-46897 | Apr 22, 2024 |
InsydeH2O CapsuleIFWUSmm Driver Return-Value Omission 5.0-5.5An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The CapsuleIFWUSmm driver does not check the return value from a method or function. This can prevent it from detecting unexpected states and conditions. |
Kernel
Insydeh2o
|
| CVE-2022-24351 | Dec 16, 2023 |
TOCTOU bug in InsydeH2O firmware (kernel 5.2-5.5) enables data tamperingTOCTOU race-condition vulnerability in Insyde InsydeH2O with Kernel 5.2 before version 05.27.29, Kernel 5.3 before version 05.36.29, Kernel 5.4 version before 05.44.13, and Kernel 5.5 before version 05.52.13 allows an attacker to alter data and code used by the remainder of the boot process. |
Insydeh2o
|
| CVE-2023-40238 | Dec 07, 2023 |
InsydeH2O BmpDecoderDxe LogoFAIL pre-5.205.28.47, pre-5.305.37.47, pre-5.405.45.47A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression. |
Insydeh2o
|
| CVE-2023-39283 | Nov 02, 2023 |
InsydeH2O SMRAM write SMM driver privilege escalation (5.0-5.5)An SMM memory corruption vulnerability in the SMM driver (SMRAM write) in CsmInt10HookSmm in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to send arbitrary data to SMM which could lead to privilege escalation. |
Insydeh2o
|
| CVE-2023-39284 | Nov 02, 2023 |
Insyde InsydeH2O 5.05.5 Arbitrary SetVariable Calls in IhisiServicesSmmAn issue was discovered in IhisiServicesSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There are arbitrary calls to SetVariable with unsanitized arguments in the SMI handler. |
Insydeh2o
|
| CVE-2023-39281 | Nov 01, 2023 |
InsydeH2O AsfSecureBootDxe Stack Buffer Overflow 5.0-5.5A stack buffer overflow vulnerability discovered in AsfSecureBootDxe in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to run arbitrary code execution during the DXE phase. |
Insydeh2o
|
| CVE-2023-30633 | Oct 19, 2023 |
InsydeH2O TrEEConfigDriver v5.05.5: TPM PCR SpoofingAn issue was discovered in TrEEConfigDriver in Insyde InsydeH2O with kernel 5.0 through 5.5. It can report false TPM PCR values, and thus mask malware activity. Devices use Platform Configuration Registers (PCRs) to record information about device and software configuration to ensure that the boot process is secure. (For example, Windows uses these PCR measurements to determine device health.) A vulnerable device can masquerade as a healthy device by extending arbitrary values into Platform Configuration Register (PCR) banks. This requires physical access to a target victim's device, or compromise of user credentials for a device. This issue is similar to CVE-2021-42299 (on Surface Pro devices). |
Insydeh2o
|
| CVE-2023-34195 | Sep 18, 2023 |
InsydeInsydeH2O DXE RCE via GetImageProgress UEFI Variable (5.0-5.5)An issue was discovered in SystemFirmwareManagementRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The implementation of the GetImage method retrieves the value of a runtime variable named GetImageProgress, and later uses this value as a function pointer. This variable is wiped out by the same module near the end of the function. By setting this UEFI variable from the OS to point into custom code, an attacker could achieve arbitrary code execution in the DXE phase, before several chipset locks are set. |
Insydeh2o
|
| CVE-2021-33834 | Sep 08, 2023 |
Insyde H2OFFT 6.20.00 iscflashx64.sys Buffer Overwrite via IOCTL 0x22229aAn issue was discovered in iscflashx64.sys 3.9.3.0 in Insyde H2OFFT 6.20.00. When handling IOCTL 0x22229a, the input used to allocate a buffer and copy memory is mishandled. This could cause memory corruption or a system crash. |
Iscflashx64 Sys
H2offt
|
| CVE-2023-27471 | Aug 18, 2023 |
InsydeH2O UEFI MeSetup Variable Overwrite CVE-2023-27471 (Kernel 5.0-5.5)An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. UEFI implementations do not correctly protect and validate information contained in the 'MeSetup' UEFI variable. On some systems, this variable can be overwritten using operating system APIs. Exploitation of this vulnerability could potentially lead to denial of service for the platform. |
Insydeh2o
|
| CVE-2023-31041 | Aug 14, 2023 |
InsydeH2O SysPasswordDxe 5.0-5.5 cleartext password disclosureAn issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure. |
Insydeh2o
|
| CVE-2023-27373 | Aug 07, 2023 |
InsydeH2O 5.05.5: RuntimeEFI Variable Validation Flaw Overlap SMRAMAn issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM. |
Insydeh2o
|
| CVE-2023-28468 | Aug 03, 2023 |
InsydeH2O FvbServicesRuntimeDxe SMM SMI Access SPI Flash on Kernel 5.0-5.5An issue was discovered in FvbServicesRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The FvbServicesRuntimeDxe SMM module exposes an SMI handler that allows an attacker to interact with the SPI flash at run-time from the OS. |
Kernel
|
| CVE-2023-25600 | Aug 03, 2023 |
InsydeH2O firmware OOB read via EFI var tamper, fixed v01.01.04.0016An issue was discovered in InsydeH2O. A malicious operating system can tamper with a runtime-writable EFI variable, leading to out-of-bounds memory reads and a denial of service. This is fixed in version 01.01.04.0016. |
Insydecrpkg
Insydeh2o
|
| CVE-2022-24350 | Apr 12, 2023 |
Insyde InsydeH2O Kernel 5.x Vulnerability: IHISI Fn 0x17 Buffer OverflowAn issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI function 0x17 verifies that the output buffer lies within the command buffer but does not verify that output data does not go beyond the end of the command buffer. In particular, the GetFlashTable function is called directly on the Command Buffer before the DataSize is check, leading to possible circumstances where the data immediately following the command buffer could be destroyed before returning a buffer size error. |
Insydeh2o
|
| CVE-2023-22616 | Apr 12, 2023 |
Insyde H2O SMRAM Corruption via Unchecked Save State Register (v5.2-5.5)An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. The Save State register is not checked before use. The IhisiSmm driver does not check the value of a save state register before use. Due to insufficient input validation, an attacker can corrupt SMRAM. |
Insydeh2o
|
| CVE-2023-22613 | Apr 11, 2023 |
InsydeH2O BIOS 5.0-5.5: SMM Mem Corrupt via Malformed RCX Pointer in IhisiSmmAn issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. It is possible to write to an attacker-controlled address. An attacker could invoke an SMI handler with a malformed pointer in RCX that overlaps SMRAM, resulting in SMM memory corruption. |
Insydeh20
Insydeh2o
|
| CVE-2023-22614 | Apr 11, 2023 |
Memory Corruption in Insyde InsydeH2O ChipsetSvcSmm (Kernel 5.0-5.5)An issue was discovered in ChipsetSvcSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There is insufficient input validation in BIOS Guard updates. An attacker can induce memory corruption in SMM by supplying malformed inputs to the BIOS Guard SMI handler. |
Insydeh20
Insydeh2o
|
| CVE-2023-22612 | Apr 11, 2023 |
Memory Corruption in InsydeH2O (IhisiSmm) 5.0-5.5An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. A malicious host OS can invoke an Insyde SMI handler with malformed arguments, resulting in memory corruption in SMM. |
Insydeh20
Insydeh2o
|
| CVE-2023-22615 | Apr 11, 2023 |
InsydeH2O IHISI SMRAM Overwrite 5.0-5.5An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI subfunction execution may corrupt SMRAM. An attacker can pass an address in the RCX save state register that overlaps SMRAM, thereby coercing an IHISI subfunction handler to overwrite private SMRAM. |
Insydeh20
Insydeh2o
|
| CVE-2022-32469 | Feb 15, 2023 |
InsydeH2O v5.0-5.5 DMA TOCTOU Priv EscalationAn issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the PnpSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it. |
Insydeh2o
|
| CVE-2022-32475 | Feb 15, 2023 |
InsydeH2O 5.0-5.5 DMA Race in VariableRuntimeDxe Enables PrivEscAn issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the VariableRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This issue was fixed in the kernel, which also protected chipset and OEM chipset code. |
Insydeh2o
|
| CVE-2022-32477 | Feb 15, 2023 |
DMA TOCTOU in InsydeH2O 5.0-5.5 FvbServicesRuntimeDxe (SMRAM)An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the FvbServicesRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it. |
Insydeh2o
|
| CVE-2022-32470 | Feb 15, 2023 |
InsydeH2O 5.x DMA TOCTOU in FwBlockServiceSmm bufferAn issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the FwBlockServiceSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it. |
Insydeh2o
|
| CVE-2022-32473 | Feb 15, 2023 |
InsydeH2O 5.05.5 DMA race in HddPassword buffer enables privilege escalationAn issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the HddPassword shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it. |
Insydeh2o
|
| CVE-2022-32476 | Feb 15, 2023 |
InsydeH2O AhciBusDxe DMA TOCTOU Priv Escalation 5.0-5.5An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the AhciBusDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it. |
Insydeh2o
|
| CVE-2022-32953 | Feb 15, 2023 |
InsydeH2O kernel 5.05.5 SMBus DMA TOCTOU -> SMRAM corruptionAn issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the SdHostDriver buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer. |
Insydeh2o
|
| CVE-2022-32471 | Feb 15, 2023 |
IhisiSmm DMA Buffer Overflow in InsydeH2O 5.0-5.5: Priv EscAn issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. The IhisiDxe driver uses the command buffer to pass input and output data. By modifying the command buffer contents with DMA after the input parameters have been checked but before they are used, the IHISI SMM code may be convinced to modify SMRAM or OS, leading to possible data corruption or escalation of privileges. |
Insydeh2o
|
| CVE-2022-32474 | Feb 15, 2023 |
InsydeH2O 5.0-5.5 DMA Race to Priv Escalation (SMM)An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the StorageSecurityCommandDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it. |
Insydeh2o
|
| CVE-2022-32478 | Feb 15, 2023 |
InsydeH2O 5.0-5.5 DMA Race SMRAM Corruption & Priv EscalationAn issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the IdeBusDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it. |
Insydeh2o
|
| CVE-2022-32954 | Feb 15, 2023 |
InsydeH2O DMA TOCTOU Race in SdMmcDevice before 5.5 (SMRAM corruption)An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 5.5. DMA attacks on the SdMmcDevice buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer. |
Insydeh2o
|
| CVE-2022-32955 | Feb 15, 2023 |
InsydeH2O kernel 5.05.5 NvmExpressDxe DMA Race leading to SMRAM corruptionAn issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the NvmExpressDxe buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer. |
Insydeh2o
|
| CVE-2022-36337 | Nov 23, 2022 |
InsydeH2O 5.0-5.5 MebxConfiguration Stack Buffer OverflowAn issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow vulnerability in the MebxConfiguration driver leads to arbitrary code execution. Control of a UEFI variable under the OS can cause this overflow when read by BIOS code. |
Kernel
Insydeh2o
|
| CVE-2022-35407 | Nov 22, 2022 |
Buffer Overflow in InsydeH2O SetupUtility Driver (5.0-5.5)An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow leads to arbitrary code execution in the SetupUtility driver on Intel platforms. An attacker can change the values of certain UEFI variables. If the size of the second variable exceeds the size of the first, then the buffer will be overwritten. This issue affects the SetupUtility driver of InsydeH2O. |
Kernel
Insydeh2o
|
| CVE-2022-35897 | Nov 21, 2022 |
InsydeH2O UEFI Variables Buffer Overflow via SPI (CVE-2022-35897)An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can cause a stack overflow, leading to arbitrary code execution. The specific variables are normally locked (read-only) at the OS level and therefore an attack would require direct SPI modification. If an attacker can change the values of at least two variables out of three (SecureBootEnforce, SecureBoot, RestoreBootSettings), it is possible to execute arbitrary code. |
Kernel
Insydeh2o
|
| CVE-2022-29279 | Nov 15, 2022 |
Kernel Untrusted Pointers in SdHostDriver allow SMRAM tampering before v5.6Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.17 Kernel 5.1: version 05.17.17 Kernel 5.2: version 05.27.17 Kernel 5.3: version 05.36.17 Kernel 5.4: version 05.44.17 Kernel 5.5: version 05.52.17 https://www.insyde.com/security-pledge/SA-2022062 |
Kernel
|
| CVE-2022-29276 | Nov 15, 2022 |
SMRAM corruption via untrusted inputs in AhciBusDxe InsydeH2O Before 05.09.18SMI functions in AhciBusDxe use untrusted inputs leading to corruption of SMRAM. SMI functions in AhciBusDxe use untrusted inputs leading to corruption of SMRAM. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.18 Kernel 5.1: version 05.17.18 Kernel 5.2: version 05.27.18 Kernel 5.3: version 05.36.18 Kernel 5.4: version 05.44.18 Kernel 5.5: version 05.52.18 https://www.insyde.com/security-pledge/SA-2022059 |
Kernel
Insydeh2o
|
| CVE-2022-29278 | Nov 15, 2022 |
Insyde UEFI NvmExpressDxe Pointer Check Flaw TAMPER SMRAM OS memoryIncorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory. This issue was discovered by Insyde during security review. Fixed in: Kernel 5.1: Version 05.17.23 Kernel 5.2: Version 05.27.23 Kernel 5.3: Version 05.36.23 Kernel 5.4: Version 05.44.23 Kernel 5.5: Version 05.52.23 https://www.insyde.com/security-pledge/SA-2022061 |
Kernel
|
| CVE-2022-29275 | Nov 15, 2022 |
SMRAM/OS Mem Tampering via UsbCoreDxe (Ingress Ptr) Fixed in 05.09.21In UsbCoreDxe, untrusted input may allow SMRAM or OS memory tampering Use of untrusted pointers could allow OS or SMRAM memory tampering leading to escalation of privileges. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.21 Kernel 5.1: version 05.17.21 Kernel 5.2: version 05.27.21 Kernel 5.3: version 05.36.21 Kernel 5.4: version 05.44.21 Kernel 5.5: version 05.52.21 https://www.insyde.com/security-pledge/SA-2022058 |
Kernel
|
| CVE-2022-30772 | Nov 15, 2022 |
PnpSmm Driver Addr Overwrite via SMBIOS (Kernel5.x Fixed)Manipulation of the input address in PnpSmm function 0x52 could be used by malware to overwrite SMRAM or OS kernel memory. Function 0x52 of the PnpSmm driver is passed the address and size of data to write into the SMBIOS table, but manipulation of the address could be used by malware to overwrite SMRAM or OS kernel memory. This issue was discovered by Insyde engineering during a security review. This issue is fixed in: Kernel 5.0: 05.09.41 Kernel 5.1: 05.17.43 Kernel 5.2: 05.27.30 Kernel 5.3: 05.36.30 Kernel 5.4: 05.44.30 Kernel 5.5: 05.52.30 https://www.insyde.com/security-pledge/SA-2022065 |
Kernel
|
| CVE-2022-30771 | Nov 15, 2022 |
SMRAM Corruption via PnpSmm Init in Linux Kernel 5.1-5.5 (Fixed 05.17-05.52)Initialization function in PnpSmm could lead to SMRAM corruption when using subsequent PNP SMI functions Initialization function in PnpSmm could lead to SMRAM corruption when using subsequent PNP SMI functions. This issue was discovered by Insyde engineering during a security review. Fixed in: Kernel 5.1: Version 05.17.25 Kernel 5.2: Version 05.27.25 Kernel 5.3: Version 05.36.25 Kernel 5.4: Version 05.44.25 Kernel 5.5: Version 05.52.25 https://www.insyde.com/security-pledge/SA-2022064 |
Kernel
|