PT-2022-21948 · Insyde · Insydeh2O Uefi Firmware
Published
2022-11-14
·
Updated
2025-04-30
·
CVE-2022-33986
CVSS v3.1
6.4
Medium
| Vector | AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
InsydeH2O UEFI firmware Kernel versions prior to 5.4: 05.44.23
InsydeH2O UEFI firmware Kernel versions prior to 5.5: 05.52.23
Description
The issue concerns DMA attacks on the parameter buffer used by the VariableRuntimeDxe software SMI handler, potentially leading to a Time-of-Check-to-Time-of-Use (TOCTOU) attack. This could result in corruption of SMRAM. The problem was identified during a security review by Insyde engineering.
Recommendations
For Kernel versions prior to 5.4: 05.44.23, update to Kernel 5.4: 05.44.23 to resolve the issue.
For Kernel versions prior to 5.5: 05.52.23, update to Kernel 5.5: 05.52.23 to resolve the issue.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Insydeh2O Uefi Firmware