CVE-2022-35407

HIGH

Insyde Kernel 5.0-5.5 - Out-of-bounds Write in SetupUtility Driver

Title source: llm
STIX 2.1

Description

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow leads to arbitrary code execution in the SetupUtility driver on Intel platforms. An attacker can change the values of certain UEFI variables. If the size of the second variable exceeds the size of the first, then the buffer will be overwritten. This issue affects the SetupUtility driver of InsydeH2O.

References (2)

Core 2

Scores

CVSS v3 7.8
EPSS 0.0023
EPSS Percentile 13.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-787
Status published
Products (1)
insyde/kernel 5.0 - 5.5
Published Nov 22, 2022
Tracked Since Feb 18, 2026