Insydeh2o

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Insydeh2o.

By the Year

In 2026 there have been 0 vulnerabilities in Insydeh2o. Last year, in 2025 Insydeh2o had 5 security vulnerabilities published. Right now, Insydeh2o is on track to have less security vulnerabilities in 2026 than it did last year.

Year	Vulnerabilities	Average Score
2026	0	0.00
2025	5	0.00
2024	5	0.00
2023	29	7.04
2022	36	7.70
2021	2	0.00

It may take a day or so for new Insydeh2o vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Insydeh2o Security Vulnerabilities

InsydeH2O Kernel SMM OOB Before 05.70.50
CVE-2024-52879 - May 15, 2025

Buffer Over-Read in InsydeH2O Kernel <05.29.50 VariableRuntimeDxe – CVE-2024-52878
CVE-2024-52878 - May 15, 2025

An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, VariableServicesSetVariable () can be called by gRT_>SetVariable () or the SmmSetSensitiveVariable () or SmmInternalSetVariable () from SMM. In VariableServicesSetVariable (), it uses StrSize () to get variable name size, uses StrLen () to get variable name length and uses StrCmp () to compare strings. These actions may cause a buffer over-read.

Untrusted Input in SecureBootHandler of Insyde InsydeH2O kernel before 05.29.50
CVE-2024-52880 - May 15, 2025

An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, SecureBootHandler uses DataSize and VariableNameSize when determining if the data or name are in the buffer, but these are supplied by the caller and therefore cannot be trusted.

InsydeH2O Kernel VarRuntimeDxe Buffer Over-Read <05.70.50
CVE-2024-52877 - May 15, 2025

An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, callback function SmmCreateVariableLockList () calls CreateVariableLockListInSmm (). In CreateVariableLockListInSmm (), it uses StrSize () to get variable name size and it could lead to a buffer over-read.

InsydeH2O DXE Memory Corruption in AcpiS3/CSvcDxe (Kern 5.x)
CVE-2024-49200 - April 15, 2025

An issue was discovered in AcpiS3SaveDxe and ChipsetSvcDxe in Insyde InsydeH2O with kernel 5.2 though 5.7. A potential DXE memory corruption vulnerability has been identified. The root cause is use of a pointer originating from the value of an NVRAM variable as the target of a write operation. This can be leveraged by an attacker to perform arbitrary writes, potentially leading to arbitrary code execution. The issue has been fixed in kernel 5.2, Version 05.29.44; kernel 5.3, Version 05.38.44; kernel 5.4, Version 05.46.44; kernel 5.5, Version 05.54.44; kernel 5.6, Version 05.61.44; and kernel 5.7, Version 05.70.44.

MemCrc in InsydeH2O HddPassword (kernel 5.x <05.61.09) SMM Priv Esc
CVE-2024-25079 - May 15, 2024

A memory corruption vulnerability in HddPassword in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6 before 05.61.09 could lead to escalating privileges in SMM.

InsydeH2O Kernel MemCorrupt in SdHost/SdMmcDevice <5.6-05.61.09 (CVE-2024-27353)
CVE-2024-27353 - May 15, 2024

A memory corruption vulnerability in SdHost and SdMmcDevice in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6 before 05.61.09 could lead to escalating privileges in SMM.

StorageSecurityCommandDxe Memory Corruption InsydeH2O Kernel <5.2 Priv Esc
CVE-2024-25078 - May 15, 2024

A memory corruption vulnerability in StorageSecurityCommandDxe in Insyde InsydeH2O before kernel 5.2: IB19130163 in 05.29.07, kernel 5.3: IB19130163 in 05.38.07, kernel 5.4: IB19130163 in 05.46.07, kernel 5.5: IB19130163 in 05.54.07, and kernel 5.6: IB19130163 in 05.61.07 could lead to escalating privileges in SMM.

InsydeH2O PnpSmm OOB in SMM Comm Buffer (k5.0-5.6) Fixed in 5.2+
CVE-2023-47252 - April 26, 2024

An issue was discovered in PnpSmm in Insyde InsydeH2O with kernel 5.0 through 5.6. There is a possible out-of-bounds access in the SMM communication buffer, leading to tampering. The PNP-related SMI sub-functions do not verify data size before getting it from the communication buffer, which could lead to possible circumstances where the data immediately following the command buffer could be destroyed with a fixed value. This is fixed in kernel 5.2 v05.28.45, kernel 5.3 v05.37.45, kernel 5.4 v05.45.45, kernel 5.5 v05.53.45, and kernel 5.6 v05.60.45.

InsydeH2O CapsuleIFWUSmm Driver Return-Value Omission 5.0-5.5
CVE-2022-46897 - April 22, 2024

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The CapsuleIFWUSmm driver does not check the return value from a method or function. This can prevent it from detecting unexpected states and conditions.

TOCTOU bug in InsydeH2O firmware (kernel 5.2-5.5) enables data tampering
CVE-2022-24351 4.7 - Medium - December 16, 2023

TOCTOU race-condition vulnerability in Insyde InsydeH2O with Kernel 5.2 before version 05.27.29, Kernel 5.3 before version 05.36.29, Kernel 5.4 version before 05.44.13, and Kernel 5.5 before version 05.52.13 allows an attacker to alter data and code used by the remainder of the boot process.

TOCTTOU

InsydeH2O BmpDecoderDxe LogoFAIL pre-5.205.28.47, pre-5.305.37.47, pre-5.405.45.47
CVE-2023-40238 5.5 - Medium - December 07, 2023

A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.

Cleartext Storage of Sensitive Information

InsydeH2O SMRAM write SMM driver privilege escalation (5.0-5.5)
CVE-2023-39283 7.8 - High - November 02, 2023

An SMM memory corruption vulnerability in the SMM driver (SMRAM write) in CsmInt10HookSmm in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to send arbitrary data to SMM which could lead to privilege escalation.

Memory Corruption

Insyde InsydeH2O 5.05.5 Arbitrary SetVariable Calls in IhisiServicesSmm
CVE-2023-39284 5.5 - Medium - November 02, 2023

An issue was discovered in IhisiServicesSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There are arbitrary calls to SetVariable with unsanitized arguments in the SMI handler.

InsydeH2O AsfSecureBootDxe Stack Buffer Overflow 5.0-5.5
CVE-2023-39281 9.8 - Critical - November 01, 2023

A stack buffer overflow vulnerability discovered in AsfSecureBootDxe in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to run arbitrary code execution during the DXE phase.

Memory Corruption

InsydeH2O TrEEConfigDriver v5.05.5: TPM PCR Spoofing
CVE-2023-30633 5.3 - Medium - October 19, 2023

An issue was discovered in TrEEConfigDriver in Insyde InsydeH2O with kernel 5.0 through 5.5. It can report false TPM PCR values, and thus mask malware activity. Devices use Platform Configuration Registers (PCRs) to record information about device and software configuration to ensure that the boot process is secure. (For example, Windows uses these PCR measurements to determine device health.) A vulnerable device can masquerade as a healthy device by extending arbitrary values into Platform Configuration Register (PCR) banks. This requires physical access to a target victim's device, or compromise of user credentials for a device. This issue is similar to CVE-2021-42299 (on Surface Pro devices).

InsydeInsydeH2O DXE RCE via GetImageProgress UEFI Variable (5.0-5.5)
CVE-2023-34195 7.8 - High - September 18, 2023

An issue was discovered in SystemFirmwareManagementRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The implementation of the GetImage method retrieves the value of a runtime variable named GetImageProgress, and later uses this value as a function pointer. This variable is wiped out by the same module near the end of the function. By setting this UEFI variable from the OS to point into custom code, an attacker could achieve arbitrary code execution in the DXE phase, before several chipset locks are set.

InsydeH2O UEFI MeSetup Variable Overwrite CVE-2023-27471 (Kernel 5.0-5.5)
CVE-2023-27471 5.5 - Medium - August 18, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. UEFI implementations do not correctly protect and validate information contained in the 'MeSetup' UEFI variable. On some systems, this variable can be overwritten using operating system APIs. Exploitation of this vulnerability could potentially lead to denial of service for the platform.

InsydeH2O SysPasswordDxe 5.0-5.5 cleartext password disclosure
CVE-2023-31041 7.5 - High - August 14, 2023

An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure.

Cleartext Storage of Sensitive Information

InsydeH2O 5.05.5: RuntimeEFI Variable Validation Flaw Overlap SMRAM
CVE-2023-27373 5.5 - Medium - August 07, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM.

Improper Input Validation

InsydeH2O firmware OOB read via EFI var tamper, fixed v01.01.04.0016
CVE-2023-25600 7.1 - High - August 03, 2023

An issue was discovered in InsydeH2O. A malicious operating system can tamper with a runtime-writable EFI variable, leading to out-of-bounds memory reads and a denial of service. This is fixed in version 01.01.04.0016.

Out-of-bounds Read

Insyde InsydeH2O Kernel 5.x Vulnerability: IHISI Fn 0x17 Buffer Overflow
CVE-2022-24350 5.5 - Medium - April 12, 2023

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI function 0x17 verifies that the output buffer lies within the command buffer but does not verify that output data does not go beyond the end of the command buffer. In particular, the GetFlashTable function is called directly on the Command Buffer before the DataSize is check, leading to possible circumstances where the data immediately following the command buffer could be destroyed before returning a buffer size error.

Classic Buffer Overflow

Insyde H2O SMRAM Corruption via Unchecked Save State Register (v5.2-5.5)
CVE-2023-22616 7.8 - High - April 12, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. The Save State register is not checked before use. The IhisiSmm driver does not check the value of a save state register before use. Due to insufficient input validation, an attacker can corrupt SMRAM.

Externally Controlled Reference to a Resource in Another Sphere

InsydeH2O BIOS 5.0-5.5: SMM Mem Corrupt via Malformed RCX Pointer in IhisiSmm
CVE-2023-22613 8.8 - High - April 11, 2023

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. It is possible to write to an attacker-controlled address. An attacker could invoke an SMI handler with a malformed pointer in RCX that overlaps SMRAM, resulting in SMM memory corruption.

Memory Corruption

Memory Corruption in InsydeH2O (IhisiSmm) 5.0-5.5
CVE-2023-22612 8.8 - High - April 11, 2023

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. A malicious host OS can invoke an Insyde SMI handler with malformed arguments, resulting in memory corruption in SMM.

Memory Corruption

Memory Corruption in Insyde InsydeH2O ChipsetSvcSmm (Kernel 5.0-5.5)
CVE-2023-22614 8.8 - High - April 11, 2023

An issue was discovered in ChipsetSvcSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There is insufficient input validation in BIOS Guard updates. An attacker can induce memory corruption in SMM by supplying malformed inputs to the BIOS Guard SMI handler.

Memory Corruption

InsydeH2O IHISI SMRAM Overwrite 5.0-5.5
CVE-2023-22615 8.4 - High - April 11, 2023

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI subfunction execution may corrupt SMRAM. An attacker can pass an address in the RCX save state register that overlaps SMRAM, thereby coercing an IHISI subfunction handler to overwrite private SMRAM.

Memory Corruption

DMA TOCTOU in InsydeH2O 5.0-5.5 FvbServicesRuntimeDxe (SMRAM)
CVE-2022-32477 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the FvbServicesRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

TOCTTOU

InsydeH2O 5.0-5.5 DMA Race in VariableRuntimeDxe Enables PrivEsc
CVE-2022-32475 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the VariableRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This issue was fixed in the kernel, which also protected chipset and OEM chipset code.

TOCTTOU

InsydeH2O v5.0-5.5 DMA TOCTOU Priv Escalation
CVE-2022-32469 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the PnpSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

TOCTTOU

InsydeH2O kernel 5.05.5 SMBus DMA TOCTOU -> SMRAM corruption
CVE-2022-32953 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the SdHostDriver buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.

TOCTTOU

InsydeH2O AhciBusDxe DMA TOCTOU Priv Escalation 5.0-5.5
CVE-2022-32476 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the AhciBusDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

TOCTTOU

InsydeH2O 5.05.5 DMA race in HddPassword buffer enables privilege escalation
CVE-2022-32473 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the HddPassword shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

TOCTTOU

InsydeH2O 5.x DMA TOCTOU in FwBlockServiceSmm buffer
CVE-2022-32470 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the FwBlockServiceSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

TOCTTOU

InsydeH2O kernel 5.05.5 NvmExpressDxe DMA Race leading to SMRAM corruption
CVE-2022-32955 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the NvmExpressDxe buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.

TOCTTOU

InsydeH2O DMA TOCTOU Race in SdMmcDevice before 5.5 (SMRAM corruption)
CVE-2022-32954 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 5.5. DMA attacks on the SdMmcDevice buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.

TOCTTOU

InsydeH2O 5.0-5.5 DMA Race SMRAM Corruption & Priv Escalation
CVE-2022-32478 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the IdeBusDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

TOCTTOU

InsydeH2O 5.0-5.5 DMA Race to Priv Escalation (SMM)
CVE-2022-32474 7 - High - February 15, 2023

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the StorageSecurityCommandDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

TOCTTOU

IhisiSmm DMA Buffer Overflow in InsydeH2O 5.0-5.5: Priv Esc
CVE-2022-32471 7 - High - February 15, 2023

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. The IhisiDxe driver uses the command buffer to pass input and output data. By modifying the command buffer contents with DMA after the input parameters have been checked but before they are used, the IHISI SMM code may be convinced to modify SMRAM or OS, leading to possible data corruption or escalation of privileges.

TOCTTOU

InsydeH2O 5.0-5.5 MebxConfiguration Stack Buffer Overflow
CVE-2022-36337 8.2 - High - November 23, 2022

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow vulnerability in the MebxConfiguration driver leads to arbitrary code execution. Control of a UEFI variable under the OS can cause this overflow when read by BIOS code.

Memory Corruption

Buffer Overflow in InsydeH2O SetupUtility Driver (5.0-5.5)
CVE-2022-35407 7.8 - High - November 22, 2022

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow leads to arbitrary code execution in the SetupUtility driver on Intel platforms. An attacker can change the values of certain UEFI variables. If the size of the second variable exceeds the size of the first, then the buffer will be overwritten. This issue affects the SetupUtility driver of InsydeH2O.

Memory Corruption

InsydeH2O UEFI Variables Buffer Overflow via SPI (CVE-2022-35897)
CVE-2022-35897 6.8 - Medium - November 21, 2022

An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can cause a stack overflow, leading to arbitrary code execution. The specific variables are normally locked (read-only) at the OS level and therefore an attack would require direct SPI modification. If an attacker can change the values of at least two variables out of three (SecureBootEnforce, SecureBoot, RestoreBootSettings), it is possible to execute arbitrary code.

Memory Corruption

SMRAM corruption via untrusted inputs in AhciBusDxe InsydeH2O Before 05.09.18
CVE-2022-29276 8.2 - High - November 15, 2022

SMI functions in AhciBusDxe use untrusted inputs leading to corruption of SMRAM. SMI functions in AhciBusDxe use untrusted inputs leading to corruption of SMRAM. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.18 Kernel 5.1: version 05.17.18 Kernel 5.2: version 05.27.18 Kernel 5.3: version 05.36.18 Kernel 5.4: version 05.44.18 Kernel 5.5: version 05.52.18 https://www.insyde.com/security-pledge/SA-2022059

Memory Corruption

SMRAM Corruption via DMA in StorageSecurityCommandDxe SMI
CVE-2022-34325 7.8 - High - November 14, 2022

DMA transactions which are targeted at input buffers used for the StorageSecurityCommandDxe software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the StorageSecurityCommandDxe driver could cause SMRAM corruption. This issue was discovered by Insyde engineering based on the general description provided by

TOCTTOU

InsydeH2O 5.05.5 DMA TOCTOU on PcdSmmDxe SMI
CVE-2022-32266 6.4 - Medium - November 14, 2022

DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of other ACPI fields and adjacent memory fields. DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of other ACPI fields and adjacent memory fields. The attack would require detailed knowledge of the PCD database contents on the current platform. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23, Kernel 5.5: 05.52.23. Kernel 5.2 is unaffected. CWE-787 An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the parameter buffer that is used by a software SMI handler (used by the PcdSmmDxe driver) could lead to a TOCTOU race-condition attack on the SMI handler, and lead to corruption of other ACPI fields and adjacent memory fields. The attack would require detailed knowledge of the PCD database contents on the current platform.

Memory Corruption

SMM Memory Corruption in Insyde InsydeH2O PnpSmm (before 5.6)
CVE-2022-36448 8.2 - High - September 28, 2022

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. There is an SMM memory corruption vulnerability in the Software SMI handler in the PnpSmm driver.

Improper Input Validation

InsydeH2O FvbServicesRuntimeDxe SMM Mem Corruption v5.0-5.5 Priv Esc
CVE-2022-35893 8.2 - High - September 23, 2022

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM memory corruption vulnerability in the FvbServicesRuntimeDxe driver allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

Improper Input Validation

Arbitrary Code Execution via SMM Callout in InsydeH2O 5.05.5
CVE-2022-36338 8.2 - High - September 23, 2022

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then generate a software SMI.

Insyde InsydeH2O kernel <5.6 SMI info disclosure via untrusted pointer
CVE-2022-35894 6 - Medium - September 22, 2022

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker-specified buffer, leading to information disclosure.

Memory Leak

InsydeH2O SMM Callout CVE-2022-35408 (5.0-5.5) Arbitrary Code Exec
CVE-2022-35408 8.2 - High - September 22, 2022

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI_BOOT_SERVICES table before the USB SMI handler triggers. (This is not exploitable from code running in the operating system.)

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Insydeh2o or by Insyde? Click the Watch button to subscribe.

Insyde
Vendor

Insydeh2o
Product

Insydeh2o

Don't miss out!

By the Year

Recent Insydeh2o Security Vulnerabilities

InsydeH2O Kernel SMM OOB Before 05.70.50 CVE-2024-52879 - May 15, 2025

Buffer Over-Read in InsydeH2O Kernel <05.29.50 VariableRuntimeDxe – CVE-2024-52878 CVE-2024-52878 - May 15, 2025

Untrusted Input in SecureBootHandler of Insyde InsydeH2O kernel before 05.29.50 CVE-2024-52880 - May 15, 2025

InsydeH2O Kernel VarRuntimeDxe Buffer Over-Read <05.70.50 CVE-2024-52877 - May 15, 2025

InsydeH2O DXE Memory Corruption in AcpiS3/CSvcDxe (Kern 5.x) CVE-2024-49200 - April 15, 2025

MemCrc in InsydeH2O HddPassword (kernel 5.x <05.61.09) SMM Priv Esc CVE-2024-25079 - May 15, 2024

InsydeH2O Kernel MemCorrupt in SdHost/SdMmcDevice <5.6-05.61.09 (CVE-2024-27353) CVE-2024-27353 - May 15, 2024

StorageSecurityCommandDxe Memory Corruption InsydeH2O Kernel <5.2 Priv Esc CVE-2024-25078 - May 15, 2024

InsydeH2O PnpSmm OOB in SMM Comm Buffer (k5.0-5.6) Fixed in 5.2+ CVE-2023-47252 - April 26, 2024

InsydeH2O CapsuleIFWUSmm Driver Return-Value Omission 5.0-5.5 CVE-2022-46897 - April 22, 2024

TOCTOU bug in InsydeH2O firmware (kernel 5.2-5.5) enables data tampering CVE-2022-24351 4.7 - Medium - December 16, 2023

InsydeH2O BmpDecoderDxe LogoFAIL pre-5.205.28.47, pre-5.305.37.47, pre-5.405.45.47 CVE-2023-40238 5.5 - Medium - December 07, 2023

InsydeH2O SMRAM write SMM driver privilege escalation (5.0-5.5) CVE-2023-39283 7.8 - High - November 02, 2023

Insyde InsydeH2O 5.05.5 Arbitrary SetVariable Calls in IhisiServicesSmm CVE-2023-39284 5.5 - Medium - November 02, 2023

InsydeH2O AsfSecureBootDxe Stack Buffer Overflow 5.0-5.5 CVE-2023-39281 9.8 - Critical - November 01, 2023

InsydeH2O TrEEConfigDriver v5.05.5: TPM PCR Spoofing CVE-2023-30633 5.3 - Medium - October 19, 2023

InsydeInsydeH2O DXE RCE via GetImageProgress UEFI Variable (5.0-5.5) CVE-2023-34195 7.8 - High - September 18, 2023

InsydeH2O UEFI MeSetup Variable Overwrite CVE-2023-27471 (Kernel 5.0-5.5) CVE-2023-27471 5.5 - Medium - August 18, 2023

InsydeH2O SysPasswordDxe 5.0-5.5 cleartext password disclosure CVE-2023-31041 7.5 - High - August 14, 2023

InsydeH2O 5.05.5: RuntimeEFI Variable Validation Flaw Overlap SMRAM CVE-2023-27373 5.5 - Medium - August 07, 2023

InsydeH2O firmware OOB read via EFI var tamper, fixed v01.01.04.0016 CVE-2023-25600 7.1 - High - August 03, 2023

Insyde InsydeH2O Kernel 5.x Vulnerability: IHISI Fn 0x17 Buffer Overflow CVE-2022-24350 5.5 - Medium - April 12, 2023

Insyde H2O SMRAM Corruption via Unchecked Save State Register (v5.2-5.5) CVE-2023-22616 7.8 - High - April 12, 2023

InsydeH2O BIOS 5.0-5.5: SMM Mem Corrupt via Malformed RCX Pointer in IhisiSmm CVE-2023-22613 8.8 - High - April 11, 2023

Memory Corruption in InsydeH2O (IhisiSmm) 5.0-5.5 CVE-2023-22612 8.8 - High - April 11, 2023

Memory Corruption in Insyde InsydeH2O ChipsetSvcSmm (Kernel 5.0-5.5) CVE-2023-22614 8.8 - High - April 11, 2023

InsydeH2O IHISI SMRAM Overwrite 5.0-5.5 CVE-2023-22615 8.4 - High - April 11, 2023

DMA TOCTOU in InsydeH2O 5.0-5.5 FvbServicesRuntimeDxe (SMRAM) CVE-2022-32477 7 - High - February 15, 2023

InsydeH2O 5.0-5.5 DMA Race in VariableRuntimeDxe Enables PrivEsc CVE-2022-32475 7 - High - February 15, 2023

InsydeH2O v5.0-5.5 DMA TOCTOU Priv Escalation CVE-2022-32469 7 - High - February 15, 2023

InsydeH2O kernel 5.05.5 SMBus DMA TOCTOU -> SMRAM corruption CVE-2022-32953 7 - High - February 15, 2023

InsydeH2O AhciBusDxe DMA TOCTOU Priv Escalation 5.0-5.5 CVE-2022-32476 7 - High - February 15, 2023

InsydeH2O 5.05.5 DMA race in HddPassword buffer enables privilege escalation CVE-2022-32473 7 - High - February 15, 2023

InsydeH2O 5.x DMA TOCTOU in FwBlockServiceSmm buffer CVE-2022-32470 7 - High - February 15, 2023

InsydeH2O kernel 5.05.5 NvmExpressDxe DMA Race leading to SMRAM corruption CVE-2022-32955 7 - High - February 15, 2023

InsydeH2O DMA TOCTOU Race in SdMmcDevice before 5.5 (SMRAM corruption) CVE-2022-32954 7 - High - February 15, 2023

InsydeH2O 5.0-5.5 DMA Race SMRAM Corruption & Priv Escalation CVE-2022-32478 7 - High - February 15, 2023

InsydeH2O 5.0-5.5 DMA Race to Priv Escalation (SMM) CVE-2022-32474 7 - High - February 15, 2023

IhisiSmm DMA Buffer Overflow in InsydeH2O 5.0-5.5: Priv Esc CVE-2022-32471 7 - High - February 15, 2023

InsydeH2O 5.0-5.5 MebxConfiguration Stack Buffer Overflow CVE-2022-36337 8.2 - High - November 23, 2022

Buffer Overflow in InsydeH2O SetupUtility Driver (5.0-5.5) CVE-2022-35407 7.8 - High - November 22, 2022

InsydeH2O UEFI Variables Buffer Overflow via SPI (CVE-2022-35897) CVE-2022-35897 6.8 - Medium - November 21, 2022

SMRAM corruption via untrusted inputs in AhciBusDxe InsydeH2O Before 05.09.18 CVE-2022-29276 8.2 - High - November 15, 2022

SMRAM Corruption via DMA in StorageSecurityCommandDxe SMI CVE-2022-34325 7.8 - High - November 14, 2022

InsydeH2O 5.05.5 DMA TOCTOU on PcdSmmDxe SMI CVE-2022-32266 6.4 - Medium - November 14, 2022

SMM Memory Corruption in Insyde InsydeH2O PnpSmm (before 5.6) CVE-2022-36448 8.2 - High - September 28, 2022

InsydeH2O FvbServicesRuntimeDxe SMM Mem Corruption v5.0-5.5 Priv Esc CVE-2022-35893 8.2 - High - September 23, 2022

Arbitrary Code Execution via SMM Callout in InsydeH2O 5.05.5 CVE-2022-36338 8.2 - High - September 23, 2022

Insyde InsydeH2O kernel <5.6 SMI info disclosure via untrusted pointer CVE-2022-35894 6 - Medium - September 22, 2022

InsydeH2O SMM Callout CVE-2022-35408 (5.0-5.5) Arbitrary Code Exec CVE-2022-35408 8.2 - High - September 22, 2022

Stay on top of Security Vulnerabilities

Insyde Vendor

Insydeh2oProduct

InsydeH2O Kernel SMM OOB Before 05.70.50
CVE-2024-52879 - May 15, 2025

Buffer Over-Read in InsydeH2O Kernel <05.29.50 VariableRuntimeDxe – CVE-2024-52878
CVE-2024-52878 - May 15, 2025

Untrusted Input in SecureBootHandler of Insyde InsydeH2O kernel before 05.29.50
CVE-2024-52880 - May 15, 2025

InsydeH2O Kernel VarRuntimeDxe Buffer Over-Read <05.70.50
CVE-2024-52877 - May 15, 2025

InsydeH2O DXE Memory Corruption in AcpiS3/CSvcDxe (Kern 5.x)
CVE-2024-49200 - April 15, 2025

MemCrc in InsydeH2O HddPassword (kernel 5.x <05.61.09) SMM Priv Esc
CVE-2024-25079 - May 15, 2024

InsydeH2O Kernel MemCorrupt in SdHost/SdMmcDevice <5.6-05.61.09 (CVE-2024-27353)
CVE-2024-27353 - May 15, 2024

StorageSecurityCommandDxe Memory Corruption InsydeH2O Kernel <5.2 Priv Esc
CVE-2024-25078 - May 15, 2024

InsydeH2O PnpSmm OOB in SMM Comm Buffer (k5.0-5.6) Fixed in 5.2+
CVE-2023-47252 - April 26, 2024

InsydeH2O CapsuleIFWUSmm Driver Return-Value Omission 5.0-5.5
CVE-2022-46897 - April 22, 2024

TOCTOU bug in InsydeH2O firmware (kernel 5.2-5.5) enables data tampering
CVE-2022-24351 4.7 - Medium - December 16, 2023

InsydeH2O BmpDecoderDxe LogoFAIL pre-5.205.28.47, pre-5.305.37.47, pre-5.405.45.47
CVE-2023-40238 5.5 - Medium - December 07, 2023

InsydeH2O SMRAM write SMM driver privilege escalation (5.0-5.5)
CVE-2023-39283 7.8 - High - November 02, 2023

Insyde InsydeH2O 5.05.5 Arbitrary SetVariable Calls in IhisiServicesSmm
CVE-2023-39284 5.5 - Medium - November 02, 2023

InsydeH2O AsfSecureBootDxe Stack Buffer Overflow 5.0-5.5
CVE-2023-39281 9.8 - Critical - November 01, 2023

InsydeH2O TrEEConfigDriver v5.05.5: TPM PCR Spoofing
CVE-2023-30633 5.3 - Medium - October 19, 2023

InsydeInsydeH2O DXE RCE via GetImageProgress UEFI Variable (5.0-5.5)
CVE-2023-34195 7.8 - High - September 18, 2023

InsydeH2O UEFI MeSetup Variable Overwrite CVE-2023-27471 (Kernel 5.0-5.5)
CVE-2023-27471 5.5 - Medium - August 18, 2023

InsydeH2O SysPasswordDxe 5.0-5.5 cleartext password disclosure
CVE-2023-31041 7.5 - High - August 14, 2023

InsydeH2O 5.05.5: RuntimeEFI Variable Validation Flaw Overlap SMRAM
CVE-2023-27373 5.5 - Medium - August 07, 2023

InsydeH2O firmware OOB read via EFI var tamper, fixed v01.01.04.0016
CVE-2023-25600 7.1 - High - August 03, 2023

Insyde InsydeH2O Kernel 5.x Vulnerability: IHISI Fn 0x17 Buffer Overflow
CVE-2022-24350 5.5 - Medium - April 12, 2023

Insyde H2O SMRAM Corruption via Unchecked Save State Register (v5.2-5.5)
CVE-2023-22616 7.8 - High - April 12, 2023

InsydeH2O BIOS 5.0-5.5: SMM Mem Corrupt via Malformed RCX Pointer in IhisiSmm
CVE-2023-22613 8.8 - High - April 11, 2023

Memory Corruption in InsydeH2O (IhisiSmm) 5.0-5.5
CVE-2023-22612 8.8 - High - April 11, 2023

Memory Corruption in Insyde InsydeH2O ChipsetSvcSmm (Kernel 5.0-5.5)
CVE-2023-22614 8.8 - High - April 11, 2023

InsydeH2O IHISI SMRAM Overwrite 5.0-5.5
CVE-2023-22615 8.4 - High - April 11, 2023

DMA TOCTOU in InsydeH2O 5.0-5.5 FvbServicesRuntimeDxe (SMRAM)
CVE-2022-32477 7 - High - February 15, 2023

InsydeH2O 5.0-5.5 DMA Race in VariableRuntimeDxe Enables PrivEsc
CVE-2022-32475 7 - High - February 15, 2023

InsydeH2O v5.0-5.5 DMA TOCTOU Priv Escalation
CVE-2022-32469 7 - High - February 15, 2023

InsydeH2O kernel 5.05.5 SMBus DMA TOCTOU -> SMRAM corruption
CVE-2022-32953 7 - High - February 15, 2023

InsydeH2O AhciBusDxe DMA TOCTOU Priv Escalation 5.0-5.5
CVE-2022-32476 7 - High - February 15, 2023

InsydeH2O 5.05.5 DMA race in HddPassword buffer enables privilege escalation
CVE-2022-32473 7 - High - February 15, 2023

InsydeH2O 5.x DMA TOCTOU in FwBlockServiceSmm buffer
CVE-2022-32470 7 - High - February 15, 2023

InsydeH2O kernel 5.05.5 NvmExpressDxe DMA Race leading to SMRAM corruption
CVE-2022-32955 7 - High - February 15, 2023

InsydeH2O DMA TOCTOU Race in SdMmcDevice before 5.5 (SMRAM corruption)
CVE-2022-32954 7 - High - February 15, 2023

InsydeH2O 5.0-5.5 DMA Race SMRAM Corruption & Priv Escalation
CVE-2022-32478 7 - High - February 15, 2023

InsydeH2O 5.0-5.5 DMA Race to Priv Escalation (SMM)
CVE-2022-32474 7 - High - February 15, 2023

IhisiSmm DMA Buffer Overflow in InsydeH2O 5.0-5.5: Priv Esc
CVE-2022-32471 7 - High - February 15, 2023

InsydeH2O 5.0-5.5 MebxConfiguration Stack Buffer Overflow
CVE-2022-36337 8.2 - High - November 23, 2022

Buffer Overflow in InsydeH2O SetupUtility Driver (5.0-5.5)
CVE-2022-35407 7.8 - High - November 22, 2022

InsydeH2O UEFI Variables Buffer Overflow via SPI (CVE-2022-35897)
CVE-2022-35897 6.8 - Medium - November 21, 2022

SMRAM corruption via untrusted inputs in AhciBusDxe InsydeH2O Before 05.09.18
CVE-2022-29276 8.2 - High - November 15, 2022

SMRAM Corruption via DMA in StorageSecurityCommandDxe SMI
CVE-2022-34325 7.8 - High - November 14, 2022

InsydeH2O 5.05.5 DMA TOCTOU on PcdSmmDxe SMI
CVE-2022-32266 6.4 - Medium - November 14, 2022

SMM Memory Corruption in Insyde InsydeH2O PnpSmm (before 5.6)
CVE-2022-36448 8.2 - High - September 28, 2022

InsydeH2O FvbServicesRuntimeDxe SMM Mem Corruption v5.0-5.5 Priv Esc
CVE-2022-35893 8.2 - High - September 23, 2022

Arbitrary Code Execution via SMM Callout in InsydeH2O 5.05.5
CVE-2022-36338 8.2 - High - September 23, 2022

Insyde InsydeH2O kernel <5.6 SMI info disclosure via untrusted pointer
CVE-2022-35894 6 - Medium - September 22, 2022

InsydeH2O SMM Callout CVE-2022-35408 (5.0-5.5) Arbitrary Code Exec
CVE-2022-35408 8.2 - High - September 22, 2022

Insyde
Vendor

Insydeh2o
Product