Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2022038

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

3.6

2022-09-30

Summary

Some versions of InsydeH2O use the FreeType tools to embed fonts into the BIOS. InsydeH2O does not use the FreeType API at runtime and usage during build time does not produce a vulnerability in the BIOS.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

CVE-2022-27405

Some versions of InsydeH2O use the FreeType tools to embed fonts into the BIOS. InsydeH2O does not use the FreeType API at runtime and usage during build time does not produce a vulnerability in the BIOS. The CVSS reflects this limited usage. The version of FreeType used in InsydeH2O was updated to 2.10.4.

Solution Information

This was fixed in the Kernel, versions

kernel 5.0, unknown (End of Support)
kernel 5.1, version 05.17.33
kernel 5.2, version 05.27.33
kernel 5.3, version 05.36.34
kernel 5.4, version 05.44.34
kernel 5.5, version 05.52.33

Acknowledgements

This issue was discovered by the Insyde engineering team based on FreeType reports (https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/)

Revision History

Revision #

Date

Description

1

2022-09-30

Initial Release