Insyde Security Advisory 2022045

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2022045 Software CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L 3.9 11/08/2022 11/08/2022

Summary:

DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to corruption of other ACPI fields and adjacent memory fields (a TOCTOU attack).

Vulnerability Details

CVE-2022-32266

DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of other ACPI fields and adjacent memory fields. The attack would require detailed knowledge of the PCD database contents on the current platform. This issue was discovered by Insyde engineering during a security review. This issue is fixed in:

Kernel 5.3: 05.36.23
Kernel 5.4: 05.44.23
Kernel 5.5: 05.52.23
Kernel 5.2 is unaffected

CWE-787

Revision History:

Revision Date Description
1.0 11/08/2022 Initial Release
- - -

Return to Insyde's Security Pledge