CVE-2025-4276

CVE-2025-4276 affects UsbCoreDxe (EFI/UEFI) and related InsydeH2O implementations. The vulnerability stems from an ability to write to arbitrary memory in SMRAM, enabling arbitrary code execution at System Management Mode (SMM). Reported impact is execution of code with SMM privileges and potenti...

CVE-2025-4276 UsbCoreDxe: improper input validation may lead to arbitrary code execution

UsbCoreDxe has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level...

CVE-2022-30283

In UsbCoreDxe, tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process leads to a TOCTOU problem that could be used by an attacker to cause SMRAM corruption and escalation of privileges The UsbCoreDxe module creates a working buffer for USB...

CVE-2022-29275

In UsbCoreDxe, untrusted input may allow SMRAM or OS memory tampering Use of untrusted pointers could allow OS or SMRAM memory tampering leading to escalation of privileges. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.21 Kernel 5.1: versi...