What is the severity of CVE-2022-33986?

The severity of CVE-2022-33986 is medium, with a severity value of 6.4.

What is the affected software for CVE-2022-33986?

The affected software for CVE-2022-33986 is Insyde Kernel version 5.4.05.44.23 and 5.5.05.52.23.

What is a TOCTOU attack?

A TOCTOU attack, or Time-of-Check to Time-of-Use attack, is a vulnerability that occurs when a condition is checked at one time but the result is used at a different time.

DMA stands for Direct Memory Access and refers to a feature of computer systems that allows certain devices to access system memory directly without going through the CPU.

How can I mitigate the vulnerability in CVE-2022-33986?

To mitigate the vulnerability in CVE-2022-33986, it is recommended to update the Insyde Kernel software to a version that is not affected by the vulnerability.

Vulnerability/
CVE-2022-33986

medium

6.4

CWE

367

14/11/2022

3/8/2024

CVE-2022-33986

First published: Mon Nov 14 2022(Updated: )

DMA attacks on the parameter buffer used by the VariableRuntimeDxe software SMI handler could lead to a TOCTOU attack. DMA attacks on the parameter buffer used by the software SMI handler used by the driver VariableRuntimeDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of SMRAM. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23. CWE-367 CWE-367 Report at: https://www.insyde.com/security-pledge/SA-2022056

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Insyde Kernel	>=5.4<5.4.05.44.23
Insyde Kernel	>=5.5<5.5.05.52.23

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-33986?
The severity of CVE-2022-33986 is medium, with a severity value of 6.4.
What is the affected software for CVE-2022-33986?
The affected software for CVE-2022-33986 is Insyde Kernel version 5.4.05.44.23 and 5.5.05.52.23.
What is a TOCTOU attack?
A TOCTOU attack, or Time-of-Check to Time-of-Use attack, is a vulnerability that occurs when a condition is checked at one time but the result is used at a different time.
What is DMA?
DMA stands for Direct Memory Access and refers to a feature of computer systems that allows certain devices to access system memory directly without going through the CPU.
How can I mitigate the vulnerability in CVE-2022-33986?
To mitigate the vulnerability in CVE-2022-33986, it is recommended to update the Insyde Kernel software to a version that is not affected by the vulnerability.

collector/nvd-index
agent/weakness
agent/severity
agent/references
agent/author
agent/type
agent/event
agent/description
agent/first-publish-date
agent/softwarecombine
agent/last-modified-date
agent/tags
collector/mitre-cve
source/MITRE
vendor/insyde
canonical/insyde kernel
version/insyde kernel/5.4
version/insyde kernel/5.5

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.