Sign-up

ID

VAR-202211-1571


CVE

CVE-2022-35407


TITLE

Insyde InsydeH2O Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202211-3263

DESCRIPTION

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow leads to arbitrary code execution in the SetupUtility driver on Intel platforms. An attacker can change the values of certain UEFI variables. If the size of the second variable exceeds the size of the first, then the buffer will be overwritten. This issue affects the SetupUtility driver of InsydeH2O

Trust: 0.99

sources: NVD: CVE-2022-35407 // VULMON: CVE-2022-35407

IOT TAXONOMY

category:['other device']sub_category:general

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:insydemodel:kernelscope:lteversion:5.5

Trust: 1.0

vendor:insydemodel:kernelscope:gteversion:5.0

Trust: 1.0

sources: NVD: CVE-2022-35407

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-35407
value: HIGH

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2022-35407
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202211-3263
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-35407
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 2.0

sources: CNNVD: CNNVD-202211-3263 // NVD: CVE-2022-35407 // NVD: CVE-2022-35407

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.0

sources: NVD: CVE-2022-35407

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202211-3263

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202211-3263

PATCH

title:Insyde InsydeH2O Buffer error vulnerability fixurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=215776

Trust: 0.6

sources: CNNVD: CNNVD-202211-3263

EXTERNAL IDS

db:NVDid:CVE-2022-35407

Trust: 1.8

db:CNNVDid:CNNVD-202211-3263

Trust: 0.6

db:OTHERid:NONE

Trust: 0.1

db:VULMONid:CVE-2022-35407

Trust: 0.1

sources: OTHER: None // VULMON: CVE-2022-35407 // CNNVD: CNNVD-202211-3263 // NVD: CVE-2022-35407

REFERENCES

url:https://www.insyde.com/security-pledge

Trust: 1.7

url:https://www.insyde.com/security-pledge/sa-2022040

Trust: 1.7

url:https://cxsecurity.com/cveshow/cve-2022-35407/

Trust: 0.6

url:https://ieeexplore.ieee.org/abstract/document/10769424

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: OTHER: None // VULMON: CVE-2022-35407 // CNNVD: CNNVD-202211-3263 // NVD: CVE-2022-35407

SOURCES

db:OTHERid: -
db:VULMONid:CVE-2022-35407
db:CNNVDid:CNNVD-202211-3263
db:NVDid:CVE-2022-35407

LAST UPDATE DATE

2025-04-29T23:54:57.672000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2022-35407date:2022-11-22T00:00:00
db:CNNVDid:CNNVD-202211-3263date:2022-12-01T00:00:00
db:NVDid:CVE-2022-35407date:2025-04-29T16:15:23.800

SOURCES RELEASE DATE

db:VULMONid:CVE-2022-35407date:2022-11-22T00:00:00
db:CNNVDid:CNNVD-202211-3263date:2022-11-22T00:00:00
db:NVDid:CVE-2022-35407date:2022-11-22T02:15:09.120