CVE-2023-40238

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Dec 7, 2023

Updated: Jan 5, 2024

CWE ID 312

Summary

CVE-2023-40238 is a vulnerability affecting Insyde InsydeH2O's BmpDecoderDxe in certain Lenovo devices using kernel versions 5.2 to 5.6 before specific updates. This issue is caused by an integer signedness error in handling PixelHeight and PixelWidth during RLE4/RLE8 compression in BMP logo files. An attacker can exploit this vulnerability during the DXE phase of UEFI execution to copy data to a specific address through image parsing of crafted BMP logo files. Successful exploitation could potentially lead to code injection and system compromise.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

InsydeH2O

Affected Vendors

Insyde Software

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/sTA9U6
https://www.cve.org/CVERecord?id=CVE-2023-40238
https://nvd.nist.gov/vuln/detail/CVE-2023-40238

Back to Vulnerability Database