CVE-2022-35408

Name of the Vulnerable Software and Affected Versions Insyde InsydeH2O versions 5.0 through 5.5

Description An issue was discovered in Insyde InsydeH2O, where an SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI BOOT SERVICES table before the USB SMI handler triggers. This issue is not exploitable from code running in the operating system.

Recommendations For Insyde InsydeH2O versions 5.0 through 5.5, consider disabling the UsbLegacyControlSmm SMM driver as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.