Login Sign Up

CVE-2022-32471

7.0 HIGH

📋 TL;DR

This vulnerability in InsydeH2O firmware allows attackers with local access to potentially escalate privileges or corrupt data by exploiting a time-of-check-time-of-use (TOCTOU) race condition in the IhisiSmm driver. It affects systems running InsydeH2O kernel versions 5.0 through 5.5. Attackers could modify SMRAM or OS memory after parameter validation but before use.

💻 Affected Systems

Products:
  • InsydeH2O UEFI firmware with IhisiSmm driver
Versions: Kernel versions 5.0 through 5.5
Operating Systems: Any OS running on affected firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with InsydeH2O firmware that includes the vulnerable IhisiSmm component.

📦 What is this software?

Insydeh2o by Insyde

View all CVEs affecting Insydeh2o →

Insydeh2o by Insyde

View all CVEs affecting Insydeh2o →

Insydeh2o by Insyde

View all CVEs affecting Insydeh2o →

Insydeh2o by Insyde

View all CVEs affecting Insydeh2o →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via SMM privilege escalation leading to persistent firmware-level malware installation.

🟠

Likely Case

Local privilege escalation allowing attackers to gain kernel or SMM-level access from user space.

🟢

If Mitigated

Limited impact with proper access controls and firmware protections in place.

🌐 Internet-Facing: LOW - Requires local system access, not directly exploitable over network.
🏢 Internal Only: HIGH - Local attackers or malware could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires local access and precise timing to win the TOCTOU race condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel version 5.6 or later

Vendor Advisory: https://www.insyde.com/security-pledge/SA-2023003

Restart Required: Yes

Instructions:

1. Check with device manufacturer for firmware update availability. 2. Download and install updated firmware/BIOS from manufacturer. 3. Reboot system to apply firmware update.

🔧 Temporary Workarounds

Disable vulnerable driver

all

Remove or disable IhisiDxe driver if not required for system functionality

Requires firmware configuration changes - consult manufacturer documentation

🧯 If You Can't Patch

  • Implement strict local access controls and privilege separation
  • Monitor for suspicious SMM-related activity and memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version in UEFI/BIOS settings or using manufacturer-specific tools

Check Version:

Manufacturer-specific commands vary - check with device OEM

Verify Fix Applied:

Verify firmware version is 5.6 or later in UEFI/BIOS settings

📡 Detection & Monitoring

Log Indicators:

  • Unexpected SMM handler calls
  • SMRAM access violations
  • Firmware update failures

Network Indicators:

  • None - local exploitation only

SIEM Query:

Search for firmware update events followed by system instability or privilege escalation attempts

📊 Metadata

CVE ID: CVE-2022-32471
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-367
Published: February 15, 2023
Last Updated: May 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32471, you might also want to check these:

CVE-2026-25641 10.0

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attack...

Same vulnerability type (CWE-367)
CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)