CVE-2023-22613
Severity CVSS v4.0:
Pending analysis
Type:
CWE-787
Out-of-bounds Write
Publication date:
11/04/2023
Last modified:
11/02/2025
Description
An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. It is possible to write to an attacker-controlled address. An attacker could invoke an SMI handler with a malformed pointer in RCX that overlaps SMRAM, resulting in SMM memory corruption.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:insyde:insydeh2o:05.27.37:*:*:*:*:*:*:* | ||
| cpe:2.3:a:insyde:insydeh2o:05.36.37:*:*:*:*:*:*:* | ||
| cpe:2.3:a:insyde:insydeh2o:05.44.45:*:*:*:*:*:*:* | ||
| cpe:2.3:a:insyde:insydeh2o:05.52.45:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/
- https://www.insyde.com/security-pledge
- https://www.insyde.com/security-pledge/SA-2023023
- https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/
- https://www.insyde.com/security-pledge
- https://www.insyde.com/security-pledge/SA-2023023