CVE-2023-22616

HIGH

InsydeH2O <5.5 - Memory Corruption

Title source: llm

Description

An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. The Save State register is not checked before use. The IhisiSmm driver does not check the value of a save state register before use. Due to insufficient input validation, an attacker can corrupt SMRAM.

References (3)

[Exploit, Third Party Advisory] https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/

[Vendor Advisory] https://www.insyde.com/security-pledge

[Vendor Advisory] https://www.insyde.com/security-pledge/SA-2023022

Scores

CVSS v3 7.8

EPSS 0.0011

EPSS Percentile 29.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-610

Status published

Products (1)

insyde/insydeh2o 5.2 - 5.5

Published Apr 12, 2023

Tracked Since Feb 18, 2026