Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2022045

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

3.9

2022-11-08

Summary

DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to corruption of other ACPI fields and adjacent memory fields (a TOCTOU attack).

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L

CVE-2022-32266

DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of other ACPI fields and adjacent memory fields. The attack would require detailed knowledge of the PCD database contents on the current platform. This issue was discovered by Insyde engineering during a security review.

Solution Information

Kernel 5.3: 05.36.23
Kernel 5.4: 05.44.23
Kernel 5.5: 05.52.23
Kernel 5.2 is unaffected

Acknowledgements

Revision History

Revision #

Date

Description

2022-11-08

Initial Release

< Back to Security Pledge