CVE-2022-24350

Name of the Vulnerable Software and Affected Versions Insyde InsydeH2O versions 5.0 through 5.5

Description An issue was discovered in IhisiSmm where the IHISI function 0x17 does not verify that output data does not go beyond the end of the command buffer. This could lead to possible circumstances where the data immediately following the command buffer could be destroyed before returning a buffer size error. Specially formatted buffer contents used for software SMI could cause SMRAM corruption, leading to escalation of privilege.

Recommendations For versions 5.0 through 5.5, as a temporary workaround, consider restricting access to the IHISI function 0x17 until a patch is available. Additionally, avoid using specially formatted buffer contents for software SMI to minimize the risk of SMRAM corruption. At the moment, there is no information about a newer version that contains a fix for this vulnerability.