Buffer Underflow Issue in Firmware from Insyde Software
CVE-2021-38578

7.4HIGH

Key Information:

Vendor: Tianocore
Status: Edk Ii
Vendor: CVE Published:; 3 March 2022

What is CVE-2021-38578?

A buffer underflow vulnerability exists in the SmmEntryPoint of Insyde Software's firmware due to inadequate checks in the CommBuffer logic. This flaw arises when the BufferSize is computed, allowing for potential data corruption and unpredictable behavior. It is crucial for users of affected firmware versions to implement the latest patches to safeguard against potential exploitation.

Affected Version(s)

EDK II edk2-stable202208

References

https://bugzilla.tianocore.org/show_bug.cgi?id=3387

x_refsource_MISC

https://www.insyde.com/security-pledge/SA-2023024

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2022
Vulnerability Reserved
Aug 11, 2021

Tianocore

What is CVE-2021-38578?

Affected Version(s)

References

CVSS V3.1

Timeline