CVE-2022-32266

Name of the Vulnerable Software and Affected Versions Insyde InsydeH2O versions 5.0 through 5.5 Insyde InsydeH2O Kernel 5.3 version 05.36.23 Insyde InsydeH2O Kernel 5.4 version 05.44.23 Insyde InsydeH2O Kernel 5.5 version 05.52.23

Description The issue arises from DMA attacks on the parameter buffer used by a software SMI handler in the PcdSmmDxe driver, potentially leading to a TOCTOU attack on the SMI handler. This could result in corruption of other ACPI fields and adjacent memory fields. The attack requires detailed knowledge of the PCD database contents on the current platform.

Recommendations For Insyde InsydeH2O versions 5.0 through 5.2, update to Kernel 5.3 version 05.36.23 or later. For Insyde InsydeH2O Kernel 5.3 versions prior to 05.36.23, update to version 05.36.23 or later. For Insyde InsydeH2O Kernel 5.4 versions prior to 05.44.23, update to version 05.44.23 or later. For Insyde InsydeH2O Kernel 5.5 versions prior to 05.52.23, update to version 05.52.23 or later. As a temporary workaround, consider restricting access to the PcdSmmDxe driver until a patch is available.