CVE-2025-10451
Unchecked Buffer Overflow in SMM Allows Arbitrary Code Execution
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Insyde
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| intel | kaby_lake | * |
| insyde | insydeh2o | * |
| amd | picasso | * |
| intel | ice_lake | * |
| hp | feature | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves an unchecked output buffer that may allow arbitrary code execution within the System Management Mode (SMM). This can potentially lead to corruption of the SMM memory.
How can this vulnerability impact me? :
The vulnerability can lead to arbitrary code execution and memory corruption in SMM, which may compromise system security, potentially allowing attackers to gain high-privilege control and cause significant system damage or data loss.
What immediate steps should I take to mitigate this vulnerability?
Apply the patch IB05690966 released for HP feature versions before 20C1, which addresses the vulnerability in platforms based on Intel Ice Lake, Kaby Lake, and AMD Picasso processors. This patch mitigates the unchecked output buffer issue in the InsydeH2O firmware's SMM phase to prevent arbitrary code execution and memory corruption. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.