Insyde InsydeH2O up to 05.27.28/05.36.28/05.44.12/05.52.12 Boot toctou

Summaryinfo

A vulnerability categorized as problematic has been discovered in Insyde InsydeH2O up to 05.27.28/05.36.28/05.44.12/05.52.12. This affects an unknown part of the component Boot Handler. Such manipulation leads to toctou. This vulnerability is listed as CVE-2022-24351. There is no available exploit. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in Insyde InsydeH2O up to 05.27.28/05.36.28/05.44.12/05.52.12. It has been rated as problematic. Affected by this issue is an unknown functionality of the component Boot Handler. The manipulation with an unknown input leads to a toctou vulnerability. Using CWE to declare the problem leads to CWE-367. The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state. Impacted is integrity. CVE summarizes:

TOCTOU race-condition vulnerability in Insyde InsydeH2O with Kernel 5.2 before version 05.27.29, Kernel 5.3 before version 05.36.29, Kernel 5.4 version before 05.44.13, and Kernel 5.5 before version 05.52.13 allows an attacker to alter data and code used by the remainder of the boot process.

The weakness was presented 12/16/2023. The advisory is shared for download at insyde.com. This vulnerability is handled as CVE-2022-24351 since 02/02/2022. There are neither technical details nor an exploit publicly available.

Upgrading to version 05.27.29, 05.36.29, 05.44.13 or 05.52.13 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Insyde

Name

• InsydeH2O

Version

• 05.27.0
• 05.27.1
• 05.27.2
• 05.27.3
• 05.27.4
• 05.27.5
• 05.27.6
• 05.27.7
• 05.27.8
• 05.27.9
• 05.27.10
• 05.27.11
• 05.27.12
• 05.27.13
• 05.27.14
• 05.27.15
• 05.27.16
• 05.27.17
• 05.27.18
• 05.27.19
• 05.27.20
• 05.27.21
• 05.27.22
• 05.27.23
• 05.27.24
• 05.27.25
• 05.27.26
• 05.27.27
• 05.27.28
• 05.36.0
• 05.36.1
• 05.36.2
• 05.36.3
• 05.36.4
• 05.36.5
• 05.36.6
• 05.36.7
• 05.36.8
• 05.36.9
• 05.36.10
• 05.36.11
• 05.36.12
• 05.36.13
• 05.36.14
• 05.36.15
• 05.36.16
• 05.36.17
• 05.36.18
• 05.36.19
• 05.36.20
• 05.36.21
• 05.36.22
• 05.36.23
• 05.36.24
• 05.36.25
• 05.36.26
• 05.36.27
• 05.36.28
• 05.44.0
• 05.44.1
• 05.44.2
• 05.44.3
• 05.44.4
• 05.44.5
• 05.44.6
• 05.44.7
• 05.44.8
• 05.44.9
• 05.44.10
• 05.44.11
• 05.44.12
• 05.52.0
• 05.52.1
• 05.52.2
• 05.52.3
• 05.52.4
• 05.52.5
• 05.52.6
• 05.52.7
• 05.52.8
• 05.52.9
• 05.52.10
• 05.52.11
• 05.52.12

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion