First published: Wed Feb 15 2023(Updated: )
An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. The IhisiDxe driver uses the command buffer to pass input and output data. By modifying the command buffer contents with DMA after the input parameters have been checked but before they are used, the IHISI SMM code may be convinced to modify SMRAM or OS, leading to possible data corruption or escalation of privileges.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Insyde InsydeH2O | >=5.0<5.2.05.27.37 | |
Insyde InsydeH2O | >=5.3<5.3.05.36.37 | |
Insyde InsydeH2O | >=5.4<5.4.05.44.45 | |
Insyde InsydeH2O | >=5.5<5.5.05.52.45 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-32471 is high.
Insyde InsydeH2O versions 5.0 through 5.5 are affected by CVE-2022-32471.
CVE-2022-32471 affects Insyde InsydeH2O by allowing modification of the command buffer contents with DMA, leading to potential security vulnerabilities.
For information on patches or fixes for CVE-2022-32471, please refer to the Insyde Security Pledge website.
For more information about CVE-2022-32471, please refer to the Insyde Security Pledge website or the provided references.