UsbCoreDxe: improper input validation may lead to arbitrary code execution

7.5 / 10

HIGH

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

UsbCoreDxe has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level.

Basic Information

ID CVE-2025-4276

Source Insyde

Published Aug 13, 2025 at 01:41

Modified Aug 14, 2025 at 05:54

Affected Product

Vendor Insyde Software

Product InsydeH2O

Version Kernel 5.3

Affected Versions Insyde Software InsydeH2O Kernel 5.3
Insyde Software InsydeH2O Kernel 5.4
Insyde Software InsydeH2O Kernel 5.5
Insyde Software InsydeH2O Kernel 5.6
Insyde Software InsydeH2O Kernel 5.7

CWE Classification

CWE-20

References

www.insyde.com /security-pledge/sa-2025005/

{
    "lastseen": "",
    "description": "UsbCoreDxe has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level.",
    "published": "2025-08-13T01:41:56.834Z",
    "modified": "2025-08-14T05:54:07.744Z",
    "type": "cve",
    "title": "UsbCoreDxe: improper input validation may lead to arbitrary code execution",
    "source": "Insyde",
    "references": "https://www.insyde.com/security-pledge/sa-2025005/",
    "id": "CVE-2025-4276",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "Insyde Software InsydeH2O Kernel 5.3\nInsyde Software InsydeH2O Kernel 5.4\nInsyde Software InsydeH2O Kernel 5.5\nInsyde Software InsydeH2O Kernel 5.6\nInsyde Software InsydeH2O Kernel 5.7",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "InsydeH2O",
    "version": "Kernel 5.3",
    "vendor": "Insyde Software",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

UsbCoreDxe: improper input validation may lead to arbitrary code execution_CVE-2025-4276