Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2020001

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

7.2

2024-03-12

Summary

AhciBusDxe: Improper input validation might lead to arbitrary code execution vulnerability at SMM level.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

CVE-2020-5952: AhciBusDxe module has an SMM call out vulnerability that could also be used to execute arbitrary code at SMM level.

Solution Information

Kernel 5.1: Version in 05.15.11
Kernel 5.2: Version in 05.25.11
Kernel 5.3: Version in 05.34.11
Kernel 5.4: Version in 05.42.11

Acknowledgements

Thanks 3rd party researchers, Yngweijw and Menghao Li of IIE Varas, for reporting the vulnerabilities and engaging in coordinated disclosure.

Revision History

Revision #

Date

Description

1

2024-03-12

Initial Release