Primary

Context

Insyde InsydeH2O Improper Input Validation Vulnerability in UsbCoreDxe SMM Module Allowing Arbitrary Code Execution

Vulnerability

Patched

A vulnerability has been identified in the UsbCoreDxe component of Insyde InsydeH2O versions 5.4 prior to 05.47.01, 5.5 prior to 05.55.01, 5.6 prior to 05.62.01, and 5.7 prior to 05.71.01. This vulnerability arises from improper input validation, which can be exploited to write arbitrary memory within SMRAM and execute arbitrary code at the SMM level.

Impact

Exploitation of this vulnerability allows for arbitrary code execution at the SMM level, with the potential to write arbitrary memory inside SMRAM.

Remediation

Users can upgrade to InsydeH2O versions 05.47.01, 05.55.01, 05.62.01, or 05.71.01 to address this vulnerability.

Added: Jun 12, 2025, 5:26 PM

Updated: Jun 12, 2025, 5:26 PM

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

7.5

exploitability

2.8

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

7.5

exploitability

2.8

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Insyde InsydeH2O Improper Input Validation Vulnerability in UsbCoreDxe SMM Module Allowing Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

Insyde InsydeH2O

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating