Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2025005

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

7.5

2025-08-12

Summary

UsbCoreDxe: improper input validation may lead to arbitrary code execution.
Tcg2Smm: improper input validation may lead to arbitrary code execution.
SetupUtility: A buffer overflow vulnerability leads to arbitrary code execution.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2025-4276

Description: UsbCoreDxe has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level.
(CWE-20: Improper Input Validation).

CVE-2025-4277

Description: Tcg2Smm has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level.
(CWE-20: Improper Input Validation).

CVE-2025-4410

Description: A buffer overflow vulnerability exists in the module SetupUtility. An attacker with local privileged access can exploit this vulnerability by executeing arbitrary code.
(CWE-20: Improper Input Validation).

Solution Information

For CVE-2025-4276:
Kernel 5.3 : Version Tag 05.39.18
Kernel 5.4 : Version Tag 05.47.18
Kernel 5.5 : Version Tag 05.55.18
Kernel 5.6 : Version Tag 05.62.18
Kernel 5.7 : Version Tag 05.71.18

For CVE-2025-4277:
Kernel 5.2, Version 05.2A.21
Kernel 5.3, Version 05.39.21
Kernel 5.4, Version 05.47.21
Kernel 5.5, Version 05.55.21
Kernel 5.6, Version 05.62.21
Kernel 5.7, Version 05.71.21

For CVE-2025-4410:

Intel Mobil Platforms:

PantherLake: Version 05.71.04.0012
LunarLake: Version 05.62.21.0033
ArrowLake H/U: Version 05.55.17.0017
ArrowLake S/HX: Version 05.55.17.0028
MeteorLake: Version 05.55.17.0036
RapterLake: Version 05.47.21.0055
TwinLake: Version 05.44.45.0027

Intel Server/Embedded Platforms:

Purley: Version 05.21.51.0064
Whitley: Version 05.42.23.0078
CedarIsland: Version 05.42.11.0031
Eagle Stream: Version 05.47.31.1049
Birch Stream: Version 05.62.16.0082
Mehlow: Version 05.23.04.0054
Tatlow: Version 05.42.52.0029
Jacobsville: (Not Affected)
Harrisonville: (Not Affected)
Idaville: Version 05.47.21.0067
WhiskeyLake: Version 05.23.45.0032
CometLake-S: Version 05.34.19.0050
TigerLake UP3/H: Version 05.43.12.0062
AlderLake: Version 05.47.21.2055
Gemini Lake: (Not Affected)
ElkhartLake: Version 05.47.21.0028
Alder Lake N: Version 05.47.21.0013
AmstonLake: Version 05.47.21.0008

Acknowledgements

Revision History

Revision #

Date

Description

2025-08-12

Initial Release

< Back to Security Pledge