CVE-2023-27373

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Aug 7, 2023

Updated: Aug 15, 2023

CWE ID 20

Summary

CVE-2023-27373 is a vulnerability affecting Insyde's InsydeH2O software, specifically its kernel versions 5.0 through 5.5. This issue stems from inadequate input validation, which enables an attacker to manipulate a runtime-accessible EFI variable. By doing so, the attacker can induce a dynamic Base Address Register (BAR) setting overlap with SMRAM, potentially leading to unintended system behavior or memory corruption. The vulnerability poses a significant risk and necessitates prompt patching or mitigation measures.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

InsydeH2O

Affected Vendors

Insyde Software

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/sQLzf_
https://www.cve.org/CVERecord?id=CVE-2023-27373
https://nvd.nist.gov/vuln/detail/CVE-2023-27373

Back to Vulnerability Database