CVE-2025-4276
HIGHInsydeH2O Kernel 5.3-5.7 - Arbitrary SMRAM Write and SMM Code Execution via UsbCoreDxe
Title source: llmDescription
UsbCoreDxe has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level.
References (1)
Core 1
Core References
Various Sources
https://www.insyde.com/security-pledge/sa-2025005/
Scores
CVSS v3
7.5
EPSS
0.0013
EPSS Percentile
3.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
Status
published
Products (5)
Insyde Software/InsydeH2O
Kernel 5.3 - 05.39.18
Insyde Software/InsydeH2O
Kernel 5.4 - 05.47.18
Insyde Software/InsydeH2O
Kernel 5.5 - 05.55.18
Insyde Software/InsydeH2O
Kernel 5.6 - 05.62.18
Insyde Software/InsydeH2O
Kernel 5.7 - 05.71.18
Published
Aug 13, 2025
Tracked Since
Feb 18, 2026