CVE-2024-52877

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-52877
CWE	https://cwe.mitre.org/data/definitions/126.html

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-52877

CWE

https://cwe.mitre.org/data/definitions/126.html

An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, callback function SmmCreateVariableLockList () calls CreateVariableLockListInSmm (). In CreateVariableLockListInSmm (), it uses StrSize () to get variable name size and it could lead to a buffer over-read.

Weakness

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

References

https://www.insyde.com/security-pledge
https://www.insyde.com/security-pledge/sa-2024016/

Buffer Over-read

Weakness

References