Skip to main content

Insydeh2o CVE-2024-55567

| EUVDEUVD-2024-54678 HIGH
Improper Input Validation (CWE-20)
2025-06-12 cve@mitre.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 21:20 euvd
EUVD-2024-54678
Analysis Generated
Mar 14, 2026 - 21:20 vuln.today
CVE Published
Jun 12, 2025 - 17:15 nvd
HIGH 7.5

DescriptionCVE.org

Improper input validation was discovered in UsbCoreDxe in Insyde InsydeH2O kernel 5.4 before 05.47.01, 5.5 before 05.55.01, 5.6 before 05.62.01, and 5.7 before 05.71.01. The SMM module has an SMM call out vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level.

AnalysisAI

CVE-2024-55567 is an improper input validation vulnerability in the UsbCoreDxe module of Insyde InsydeH2O firmware that allows authenticated local attackers with high privileges to bypass SMM (System Management Mode) protections and execute arbitrary code at the highest firmware privilege level. This affects multiple kernel versions (5.4, 5.5, 5.6, 5.7) across numerous OEM BIOS implementations, enabling complete system compromise including kernel-level code execution and memory access. While CVSS rates this as 7.5 (high), real-world exploitation requires local access and administrative/BIOS-level privileges, though no public POC or active KEV designation has been confirmed.

Technical ContextAI

The vulnerability exists in UsbCoreDxe, a UEFI DXE (Driver Execution Environment) module responsible for USB device enumeration and communication. InsydeH2O is a proprietary BIOS/UEFI firmware platform used by numerous OEMs. The SMM (System Management Mode) is a privileged x86 processor mode used for low-level hardware management tasks that executes outside normal operating system control. The vulnerability is rooted in CWE-20 (Improper Input Validation), specifically in SMM call-out handlers that fail to properly validate parameters passed from less-privileged code. Attackers can craft malicious USB descriptor data or firmware interface calls to trigger out-of-bounds memory writes or unvalidated function pointer dereferences within SMRAM (SMM-protected memory), leading to arbitrary code execution at SMM level. The USB subsystem's position in the firmware stack makes this particularly dangerous, as USB initialization occurs before OS boot, with minimal validation of device descriptors.

RemediationAI

  • method: Firmware Update (Primary); action: Update InsydeH2O kernel to patched versions: 5.4 to 05.47.01 or later, 5.5 to 05.55.01 or later, 5.6 to 05.62.01 or later, 5.7 to 05.71.01 or later. Contact OEM (Dell, HP, Lenovo, ASUS, etc.) for BIOS updates specific to your motherboard/system model, as InsydeH2O is integrated into OEM firmware distributions.
  • method: Interim Mitigation (if patches unavailable); action: Restrict physical USB port access and disable USB device enumeration in BIOS settings if business continuity allows. Implement secure boot and firmware integrity verification (TPM-backed) to detect unauthorized modifications. Limit local administrative access and enable BIOS/firmware update authentication.
  • method: Detection and Monitoring; action: Monitor system logs for unexpected SMM mode activity or firmware modifications. Implement firmware vulnerability scanning tools compatible with your UEFI firmware to detect vulnerable UsbCoreDxe versions.
CVE-2023-22614 HIGH POC
8.8 Apr 11

An issue was discovered in ChipsetSvcSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. Rated high severity (CVSS 8.8)

CVE-2022-36448 HIGH POC
8.2 Sep 28

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Rated high severity (CVSS 8.2), this vulnerabil

CVE-2022-36338 HIGH POC
8.2 Sep 23

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Rated high severity (CVSS 8.2), this vulnerabil

CVE-2022-35408 HIGH POC
8.2 Sep 22

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Rated high severity (CVSS 8.2), this vulnerabil

CVE-2022-35895 HIGH POC
8.2 Sep 21

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Rated high severity (CVSS 8.2), this vulnerabil

CVE-2023-22616 HIGH POC
7.8 Apr 12

An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. Rated high severity (CVSS 7.8), this vulnerabil

CVE-2022-35894 MEDIUM POC
6.0 Sep 22

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Rated medium severity (CVSS 6.0), this vulnerab

CVE-2022-35896 MEDIUM POC
6.0 Sep 22

An issue SMM memory leak vulnerability in SMM driver (SMRAM was discovered in Insyde InsydeH2O with kernel 5.0 through 5

CVE-2023-39281 CRITICAL
9.8 Nov 01

A stack buffer overflow vulnerability discovered in AsfSecureBootDxe in Insyde InsydeH2O with kernel 5.0 through 5.5 all

CVE-2023-40238 MEDIUM POC
5.5 Dec 07

A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.4

CVE-2023-22613 HIGH
8.8 Apr 11

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. Rated high severity (CVSS 8.8), thi

CVE-2023-22612 HIGH
8.8 Apr 11

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. Rated high severity (CVSS 8.8), thi

Share

CVE-2024-55567 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy