Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2023017

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

6.4

2023-03-07

Summary

H2OSmmDebugPrintErrorLevelLib: Variable size is not initialized before calling GetVariable.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-46758

An attacker may change the size of variable to be larger than original variable size. When get variable without certain size, it may get the variable data size over the size of the buffer which has been allocated or is a local variable with fixed size. The stack buffer overflow will occur and lead to arbitrary code execution.

Solution Information

Purley-R: Version 05.21.51.0051
Whitley: Version 05.42.23.0069
Cedar Island: Trunk
Eagle Stream: Version 05.44.53.0070
Mehlow-R: Trunk
Jacobsville(SNR): Version 05.36.26.0053
Grangeville NS / Hewitt Lake: Version 05.27.48.0026
Bakerville: Version 05.21.51.0028
Idaville: Version 05.44.52.0041
Whiskey Lake: Trunk
Alder Lake N: Version 05.44.50.0002
Rome: Trunk
Milan: Trunk
Genoa: Version 05.52.53.0012
Embedded Rome: Trunk
Embedded Milan: Trunk
Hygon #1/#2: Version 05.36.48.0018
Hygon #3: Version 05.45.02.0009

Acknowledgements

Revision History

Revision #

Date

Description

1

2023-03-07

Initial Release