CVE-2024-52880

Name of the Vulnerable Software and Affected Versions: Insyde InsydeH2O kernel versions 5.2 through 05.29.49 Insyde InsydeH2O kernel versions 5.3 through 05.38.49 Insyde InsydeH2O kernel versions 5.4 through 05.46.49 Insyde InsydeH2O kernel versions 5.5 through 05.54.49 Insyde InsydeH2O kernel versions 5.6 through 05.61.49 Insyde InsydeH2O kernel versions 5.7 through 05.70.49

Description: An issue was discovered in the VariableRuntimeDxe driver, where the SecureBootHandler uses DataSize and VariableNameSize when determining if the data or name are in the buffer. However, these values are supplied by the caller and therefore cannot be trusted.

Recommendations: For Insyde InsydeH2O kernel versions 5.2 through 05.29.49, update to version 05.29.50 or later. For Insyde InsydeH2O kernel versions 5.3 through 05.38.49, update to version 05.38.50 or later. For Insyde InsydeH2O kernel versions 5.4 through 05.46.49, update to version 05.46.50 or later. For Insyde InsydeH2O kernel versions 5.5 through 05.54.49, update to version 05.54.50 or later. For Insyde InsydeH2O kernel versions 5.6 through 05.61.49, update to version 05.61.50 or later. For Insyde InsydeH2O kernel versions 5.7 through 05.70.49, update to version 05.70.50 or later.