CVE-2023-40238

N/A

A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.

N/A

N/A

Insyde InsydeH2O 安全漏洞

Insyde InsydeH2O是中国台湾系微（Insyde）公司的一个 C 语言源，它实现了新技术“EFI/UEFI”规范，旨在取代传统的 BIOS（基本输入/输出系统）。 Insyde InsydeH2O 存在安全漏洞，该漏洞源于BmpDecoderDxe 中存在 LogoFAIL 问题，攻击者利用该漏洞可以存储恶意制作的Logo图像，以下产品和版本受到影响：kernel 5.2 05.28.47版本、kernel 5.3 05.37.47版本、kernel 5.4 05.45.47版本、kernel

N/A

N/A