CVE-2022-36338

Published: Sep 23, 2022Modified: May 5, 2025

8.2

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 1.5 / Impact: 6.0

Source: NVD

Description

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then generate a software SMI.

Affected (1)

Products: Insyde: Insydeh2o

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Insyde Insydeh2o	From 5.0 to 5.5

References (6)

https://binarly.io/advisories/BRLY-2022-017/index.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.insyde.com/security-pledge

Source: cve@mitre.org

Vendor Advisory

https://www.insyde.com/security-pledge/SA-2022029

Source: cve@mitre.org

Vendor Advisory

https://binarly.io/advisories/BRLY-2022-017/index.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.insyde.com/security-pledge

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.insyde.com/security-pledge/SA-2022029

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.