6

CVE-2022-35894

Exploit
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker-specified buffer, leading to information disclosure.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
InsydeInsydeh2o Version >= 5.0 < 05.09.37
InsydeInsydeh2o Version >= 5.1 < 5.17.37
InsydeInsydeh2o Version >= 5.2 < 05.27.29
InsydeInsydeh2o Version >= 5.3 < 05.36.29
InsydeInsydeh2o Version >= 5.4 < 05.44.29
InsydeInsydeh2o Version >= 5.5 < 05.52.29
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.31% 0.229
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6 1.5 4
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 6 1.5 4
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

https://www.insyde.com/security-pledge
Vendor Advisory
https://binarly.io/advisories/BRLY-2022-018/index.html
Third Party Advisory
Exploit
https://www.insyde.com/security-pledge/SA-2022030
Vendor Advisory