CVE-2022-35897
low-risk
Published 2022-11-21
An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can cause a stack overflow, leading to arbitrary code execution. The specific variables are normally locked (read-only) at the OS level and therefore an attack would require direct SPI modification. If an attacker can change the values of at least two variables out of three (SecureBootEnforce, SecureBoot, RestoreBootSettings), it is possible to execute arbitrary code.
Do I need to act?
-
0.26% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.8/10
Medium
PHYSICAL
/ LOW complexity
Affected Products (1)
Affected Vendors
References (4)
Vendor Advisory
https://www.insyde.com/security-pledge
Vendor Advisory
https://www.insyde.com/security-pledge/SA-2022041
Vendor Advisory
https://www.insyde.com/security-pledge
Vendor Advisory
https://www.insyde.com/security-pledge/SA-2022041
28
/ 100
low-risk
Severity
22/34 · High
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal