CVE-2020-5956: Input Validation
First published: Wed Jan 05 2022(Updated: )
An issue was discovered in SdLegacySmm in Insyde InsydeH2O with kernel 5.1 before 05.15.11, 5.2 before 05.25.11, 5.3 before 05.34.11, and 5.4 before 05.42.11. The software SMI handler allows untrusted external input because it does not verify CommBuffer.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Insyde H2O | >=5.2<5.25.11 | |
| Insyde H2O | >=5.1<05.15.11 | |
| Insyde H2O | >=5.3<05.34.11 | |
| Insyde H2O | >=5.4<05.42.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-5956?
CVE-2020-5956 is classified as a medium severity vulnerability due to the risk it poses from untrusted external input.
How do I fix CVE-2020-5956?
To fix CVE-2020-5956, update InsydeH2O to version 5.1.05.15.11, 5.2.05.25.11, 5.3.05.34.11, or 5.4.05.42.11 or later.
What systems are affected by CVE-2020-5956?
CVE-2020-5956 affects InsydeH2O UEFI BIOS versions 5.1 before 05.15.11, 5.2 before 05.25.11, 5.3 before 05.34.11, and 5.4 before 05.42.11.
What is the impact of CVE-2020-5956?
The impact of CVE-2020-5956 allows an attacker to exploit the SMI handler due to a lack of verification on CommBuffer input.
Who is the vendor for CVE-2020-5956?
The vendor for CVE-2020-5956 is Insyde Software, known for their InsydeH2O UEFI BIOS systems.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/insyde
- canonical/insyde h2o
- version/insyde h2o/5.2
- version/insyde h2o/5.1
- version/insyde h2o/5.3
- version/insyde h2o/5.4