Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2022041

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

7.6

2022-11-04

Summary

Stack buffer overflow vulnerability leads to arbitrary code execution.

Vulnerability Details

CVSS Vector: CVSS3.1:AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2022-35897

This issue affects the BdsDxe driver of InsydeH2O in releases supporting specific chipsets. The issue was discovered by the Binarly efiXplorer team. This issue is fixed in the following InsydeH2O chipset versions.

Solution Information

Rocket Lake: Version 05.42.52.0024
Tiger Lake: Version 05.43.12.0053
Jasper Lake: Version 05.43.01.0024
Alder Lake: Version 05.44.23.0050
Sky Lake: Version 05.05.46.0036
Kaby Lake: Version 05.12.09.0081
Ice Lake: Version 05.33.15.0051
Coffee Lake: Version 05.23.04.0050
Whiskey Lake CP: Version 05.23.45.0028
Comet Lake: Version 05.34.19.0044
Rocket Lake CMP: Version 05.34.51.0023

All other Intel and all AMD platforms are unaffected.

Acknowledgements

This issue was described by the Binarly efiXplorer team (https://www.binarly.io/advisories/BRLY-2022-021).

Revision History

Revision #

Date

Description

1

2022-11-04

Initial Release