CVE-2022-35407: Buffer Overflow
First published: Tue Nov 22 2022(Updated: )
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow leads to arbitrary code execution in the SetupUtility driver on Intel platforms. An attacker can change the values of certain UEFI variables. If the size of the second variable exceeds the size of the first, then the buffer will be overwritten. This issue affects the SetupUtility driver of InsydeH2O.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Insyde Kernel | >=5.0<=5.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-35407.
What is the severity of CVE-2022-35407?
The severity of CVE-2022-35407 is high with a CVSS score of 7.8.
What is the affected software for CVE-2022-35407?
The affected software for CVE-2022-35407 is InsydeH2O with kernel versions 5.0 through 5.5.
How does CVE-2022-35407 impact Intel platforms?
CVE-2022-35407 allows an attacker to execute arbitrary code in the SetupUtility driver and change the values of certain UEFI variables on Intel platforms.
Are there any fixes or patches available for CVE-2022-35407?
Please refer to Insyde's security pledge and SA-2022040 for information on available fixes or patches for CVE-2022-35407.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- vendor/insyde
- canonical/insyde kernel
- version/insyde kernel/5.0
- version/insyde kernel/5.5