Insyde Security Advisory 2023017

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2023017 Software CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 6.4 03/07/2023 03/07/2023


H2OSmmDebugPrintErrorLevelLib: Variable size is not initialized before calling GetVariable

Vulnerability Details


DAn attacker may change the size of variable to be larger than original variable size. When get variable without certain size, it may get the variable data size over the size of the buffer which has been allocated or is a local variable with fixed size. The stack buffer overflow will occur and lead to arbitrary code execution.

Purley-R: Version
Whitley: Version
Cedar Island: Trunk
Eagle Stream: Version
Mehlow-R: Trunk
Jacobsville(SNR): Version
Grangeville NS / Hewitt Lake: Version
Bakerville: Version
Idaville: Version
Whiskey Lake: Trunk
Alder Lake N: Version
Rome: Trunk
Milan: Trunk
Genoa: Version
Embedded Rome: Trunk
Embedded Milan: Trunk
Hygon #1/#2: Version
Hygon #3: Version

Revision History:

Revision Date Description
1.0 03/07/2023 Initial Release
-- -- --

Return to Insyde's Security Pledge