CVE-2023-26299 — Time-of-check Time-of-use (TOCTOU) Race Condition in HP 240 G10 Firmware

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition3 documents3 sources

Severity

7.0HIGHNVD

EPSS

0.2%

top 61.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

HP 240 G10 Firmware HP 245 G6 Firmware HP 245 G7 Firmware +14 more

Timeline

PublishedJun 30

Description

A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS), which might allow arbitrary code execution. AMI has released updates to mitigate the potential vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages17 packages

▶CVEListV5hp_inc/hp_pc_products_using_ami_uefi_firmwareSee HP Security Bulletin reference for affected versions.

▶NVDhp/t430_firmware< 00.01.11

▶NVDhp/t628_firmware< 00.01.10

▶NVDhp/245_g6_firmware< f.35

▶NVDhp/245_g7_firmware< f.69

Patches

Patch: support.hp.com ↗Patch: support.hp.com ↗

🔴Vulnerability Details

CVEList

CVE-2023-26299: A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS), w↗2023-06-30

▶

GHSA

GHSA-hwjr-m4gg-39hg: A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS), w↗2023-06-30

▶