Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-32471

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. The IhisiDxe driver uses the command buffer to pass input and output data. By modifying the command buffer contents with DMA after the input parameters have been checked but before they are used, the IHISI SMM code may be convinced to modify SMRAM or OS, leading to possible data corruption or escalation of privileges.

Published

2023-02-15T02:15:09.623

Last Modified

2025-05-05T17:18:14.383

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.0 (HIGH)

Weaknesses

Type: Primary
CWE-367
Type: Secondary
CWE-367

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	insyde	insydeh2o	< 5.2.05.27.37	Yes
Application	insyde	insydeh2o	< 5.3.05.36.37	Yes
Application	insyde	insydeh2o	< 5.4.05.44.45	Yes
Application	insyde	insydeh2o	< 5.5.05.52.45	Yes

References

https://www.insyde.com/security-pledge Vendor Advisory ([email protected])
https://www.insyde.com/security-pledge/SA-2023003 Vendor Advisory ([email protected])
https://www.insyde.com/security-pledge Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.insyde.com/security-pledge/SA-2023003 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)