CVE-2024-52877

Name of the Vulnerable Software and Affected Versions: Insyde InsydeH2O kernel versions 5.2 through 05.29.49 Insyde InsydeH2O kernel versions 5.3 through 05.38.49 Insyde InsydeH2O kernel versions 5.4 through 05.46.49 Insyde InsydeH2O kernel versions 5.5 through 05.54.49 Insyde InsydeH2O kernel versions 5.6 through 05.61.49 Insyde InsydeH2O kernel versions 5.7 through 05.70.49

Description: A buffer over-read issue was discovered in the VariableRuntimeDxe driver. The SmmCreateVariableLockList() callback function calls CreateVariableLockListInSmm(), which uses StrSize() to get the variable name size. This could lead to a buffer over-read.

Recommendations: For Insyde InsydeH2O kernel versions 5.2 through 05.29.49, update to version 05.29.50 or later. For Insyde InsydeH2O kernel versions 5.3 through 05.38.49, update to version 05.38.50 or later. For Insyde InsydeH2O kernel versions 5.4 through 05.46.49, update to version 05.46.50 or later. For Insyde InsydeH2O kernel versions 5.5 through 05.54.49, update to version 05.54.50 or later. For Insyde InsydeH2O kernel versions 5.6 through 05.61.49, update to version 05.61.50 or later. For Insyde InsydeH2O kernel versions 5.7 through 05.70.49, update to version 05.70.50 or later.