CVE-2022-27538 — Time-of-check Time-of-use (TOCTOU) Race Condition in INC HP PC Bios

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition3 documents3 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 91.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

315

HP Dragonfly Folio G3 2-in-1 Firmware HP Elite Dragonfly Firmware HP Elite Dragonfly G2 Firmware +312 more

Timeline

PublishedFeb 1

Description

A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the BIOS for certain HP PC products which may allow arbitrary code execution, denial of service, and information disclosure. HP is releasing BIOS updates to mitigate the potential vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages315 packages

▶CVEListV5hp_inc/hp_pc_biosSee HP Security Bulletin reference for affected versions.

▶NVDhp/mt22_firmware< 01.14.00

▶NVDhp/mt32_firmware< 01.11.00

▶NVDhp/mt44_firmware< 01.22.00

▶NVDhp/mt45_firmware< 01.22.00

Patches

Patch: support.hp.com ↗Patch: support.hp.com ↗

🔴Vulnerability Details

GHSA

GHSA-vrcv-rg57-32pr: A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the BIOS for certain HP PC products which may allow arbitrary c↗2023-02-01

▶

CVEList

CVE-2022-27538: A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the BIOS for certain HP PC products which may allow arbitrary c↗2023-01-30

▶