Primary

Context

Lenovo Insyde BIOS Vulnerability Allowing Memory Corruption and Arbitrary Code Execution

Vulnerability

Patched

A vulnerability has been identified in the Insyde BIOS code developed for Lenovo, specifically within the SetupAutomationSmm module. This vulnerability allows an attacker to write arbitrary code, leading to memory corruption. It is categorized as an out-of-bounds write vulnerability, which can be exploited by causing a stack overflow in the SMI handler. The issue is present in several Lenovo products that use Insyde BIOS.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the System Management Mode (SMM), a privileged execution environment. This could lead to memory corruption, potentially allowing for further exploitation or manipulation of system processes.

Remediation

Users can update to the Lenovo feature version L05.05.40.011803.172079 to address this vulnerability.

Added: Jul 30, 2025, 3:32 AM

Updated: Jul 30, 2025, 3:32 AM

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

7.5

exploitability

2.8

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

7.5

exploitability

2.8

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lenovo Insyde BIOS Vulnerability Allowing Memory Corruption and Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

InsydeH2O

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating