CVE-2024-52878

HIGH

Insydeh2o < 5.2.05.29.50 - Buffer Over-read

Title source: rule
STIX 2.1

Description

An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, VariableServicesSetVariable () can be called by gRT_>SetVariable () or the SmmSetSensitiveVariable () or SmmInternalSetVariable () from SMM. In VariableServicesSetVariable (), it uses StrSize () to get variable name size, uses StrLen () to get variable name length and uses StrCmp () to compare strings. These actions may cause a buffer over-read.

References (2)

Scores

CVSS v3 7.5
EPSS 0.0029
EPSS Percentile 52.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-126
Status published
Products (1)
insyde/insydeh2o 5.2 - 5.2.05.29.50
Published May 15, 2025
Tracked Since Feb 18, 2026