CVE-2022-35897Out-of-bounds Write in Kernel

CWE-787Out-of-bounds Write3 documents3 sources
Severity
6.8MEDIUMNVD
EPSS
0.3%
top 50.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Insyde Kernel
Timeline
PublishedNov 21

Description

An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can cause a stack overflow, leading to arbitrary code execution. The specific variables are normally locked (read-only) at the OS level and therefore an attack would require direct SPI modification. If an attacker can change the values of at least two variables out of three (SecureBootEnforce, SecureBoo

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages1 packages

NVDinsyde/kernel5.05.5

🔴Vulnerability Details

2
CVEList
CVE-2022-35897: An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 52022-11-21
GHSA
GHSA-9g2j-3rfj-c298: An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 52022-11-21
CVE-2022-35897 — Out-of-bounds Write in Insyde Kernel | cvebase