Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-22616

An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. The Save State register is not checked before use. The IhisiSmm driver does not check the value of a save state register before use. Due to insufficient input validation, an attacker can corrupt SMRAM.

Published

2023-04-12T13:15:07.370

Last Modified

2025-02-10T17:15:16.200

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

Weaknesses

Type: Primary
CWE-610
Type: Secondary
CWE-610

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	insyde	insydeh2o	≤ 5.5	Yes

References

https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/ Exploit, Third Party Advisory ([email protected])
https://www.insyde.com/security-pledge Vendor Advisory ([email protected])
https://www.insyde.com/security-pledge/SA-2023022 Vendor Advisory ([email protected])
https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/ Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.insyde.com/security-pledge Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.insyde.com/security-pledge/SA-2023022 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)