CVE-2022-35407

Name of the Vulnerable Software and Affected Versions Insyde InsydeH2O versions 5.0 through 5.5

Description A stack buffer overflow issue in the SetupUtility driver on Intel platforms leads to arbitrary code execution. This allows an attacker to change the values of certain UEFI variables by overwriting the buffer if the size of the second variable exceeds the size of the first.

Recommendations For Insyde InsydeH2O versions 5.0 through 5.5, consider disabling the SetupUtility driver until a patch is available to prevent arbitrary code execution. Restrict access to the UEFI variables to minimize the risk of exploitation. Avoid using the vulnerable SetupUtility driver on Intel platforms until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.