CVE-2024-52879

Name of the Vulnerable Software and Affected Versions: Insyde InsydeH2O kernel versions 5.2 through 5.7 before version 05.70.50

Description: An issue was discovered in the InsydeH2O kernel, where the SmmUpdateVariablePropertySmi() function, a SMM callback function in the VariableRuntimeDxe driver, uses StrCmp() to compare variable names. This action may cause a buffer over-read.

Recommendations: For Insyde InsydeH2O kernel versions 5.2 through 5.7 before version 05.70.50, update to version 05.70.50 or later to resolve the issue. As a temporary workaround, consider restricting access to the VariableRuntimeDxe driver until a patch is available.