CVE-2022-35894

MEDIUM

Insyde InsydeH2O <5.5 - Info Disclosure

Title source: llm

Description

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker-specified buffer, leading to information disclosure.

References (3)

[Exploit, Third Party Advisory] https://binarly.io/advisories/BRLY-2022-018/index.html

[Vendor Advisory] https://www.insyde.com/security-pledge

[Vendor Advisory] https://www.insyde.com/security-pledge/SA-2022030

Scores

CVSS v3 6.0

EPSS 0.0006

EPSS Percentile 19.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Classification

CWE

CWE-401

Status published

Affected Products (1)

insyde/insydeh2o < 05.09.37

Timeline

Published Sep 22, 2022

Tracked Since Feb 18, 2026