Vulnerability Description
An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can cause a stack overflow, leading to arbitrary code execution. The specific variables are normally locked (read-only) at the OS level and therefore an attack would require direct SPI modification. If an attacker can change the values of at least two variables out of three (SecureBootEnforce, SecureBoot, RestoreBootSettings), it is possible to execute arbitrary code.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Insyde | Kernel | >= 5.0, <= 5.5 |
Related Weaknesses (CWE)
References
- https://www.insyde.com/security-pledgeVendor Advisory
- https://www.insyde.com/security-pledge/SA-2022041Vendor Advisory
- https://www.insyde.com/security-pledgeVendor Advisory
- https://www.insyde.com/security-pledge/SA-2022041Vendor Advisory
FAQ
What is CVE-2022-35897?
CVE-2022-35897 is a vulnerability with a CVSS score of 6.8 (MEDIUM). An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can ...
How severe is CVE-2022-35897?
CVE-2022-35897 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-35897?
Check the references section above for vendor advisories and patch information. Affected products include: Insyde Kernel.