CVE-2023-22612

moderate-risk

Published 2023-04-11

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. A malicious host OS can invoke an Insyde SMI handler with malformed arguments, resulting in memory corruption in SMM.

Do I need to act?

0.21% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

LOCAL / LOW complexity

Affected Products (6)

Insydeh2O

Affected Vendors

Insyde

References (6)

Not Applicable https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/

Vendor Advisory https://www.insyde.com/security-pledge

Vendor Advisory https://www.insyde.com/security-pledge/SA-2023019

Not Applicable https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/

Vendor Advisory https://www.insyde.com/security-pledge

Vendor Advisory https://www.insyde.com/security-pledge/SA-2023019

/ 100

moderate-risk

Severity 27/34 · High

Exploitability 1/34 · Minimal

Exposure 13/34 · Low