Insyde's Security Pledge
Recent Security Advisories

INSYDE-SA-2022003
Product
CVSS Score
Original Date
Last Revised
InsydeH2O
8.2
2022-01-04
2022-02-08
Summary
A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer(CommBuffer + 8 location). This can be used by an attacker to corrupt data in SMRAM memory and even lead to arbitrary code execution.
Vulnerability Details
CVSS Vector: AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
This corresponds to CVE-2021-45969. It affects the driver AhciBusDxe. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binaryly (BRLY-2021-016) in September 2021. It was fixed in the following Insyde kernel versions on June 18, 2021. It was fixed in the following versions:
Solution Information
Kernel 5.1: 05.16.25
Kernel 5.2: 05.26.25
Kernel 5.3: 05.35.25
Kernel 5.4: 05.43.25
Kernel 5.5: 05.51.25.
This issue was previously reported incorrectly as part of CVE-2020-27339.
Acknowledgements
Revision History
Revision #
Date
Description
1
2022-01-04
Initial Release
1.1
2022-02-08
Added CVSS Rating