CVE-2023-28468

An issue was discovered in FvbServicesRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The FvbServicesRuntimeDxe SMM module exposes an SMI handler that allows an attacker to interact with the SPI flash at run-time from the OS.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
VendorProductVersion
insydekernel
5.0 ≤
𝑥
≤ 5.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.insyde.com/security-pledge
https://www.insyde.com/security-pledge/SA-2023039
https://www.insyde.com/security-pledge
https://www.insyde.com/security-pledge/SA-2023039