CVE-2023-22613

Published: Apr 11, 2023Modified: Feb 11, 2025

8.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.0 / Impact: 6.0

Source: NVD

Description

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. It is possible to write to an attacker-controlled address. An attacker could invoke an SMI handler with a malformed pointer in RCX that overlaps SMRAM, resulting in SMM memory corruption.

Affected (4)

Products: Insyde: Insydeh2o

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Insyde Insydeh2o	Version 05.27.37
Insyde Insydeh2o	Version 05.36.37
Insyde Insydeh2o	Version 05.44.45
Insyde Insydeh2o	Version 05.52.45

Related CWEs

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (6)

https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/

Source: cve@mitre.org

Not Applicable

https://www.insyde.com/security-pledge

Source: cve@mitre.org

Vendor Advisory

https://www.insyde.com/security-pledge/SA-2023023

Source: cve@mitre.org

Vendor Advisory

https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

https://www.insyde.com/security-pledge

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.insyde.com/security-pledge/SA-2023023

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.