Skip to main content

CVE-2022-33983: n/a in n/a

High
VulnerabilityCVE-2022-33983cvecve-2022-33983
Published: Mon Nov 14 2022 (11/14/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

DMA transactions which are targeted at input buffers used for the NvmExpressLegacy software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the NvmExpressLegacy driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. This issue was fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25, kernel 5.5: 05.52.25 https://www.insyde.com/security-pledge/SA-2022053

AI-Powered Analysis

AILast updated: 07/02/2025, 03:13:32 UTC

Technical Analysis

CVE-2022-33983 is a high-severity vulnerability involving a Time-Of-Check to Time-Of-Use (TOCTOU) race condition affecting the NvmExpressLegacy software System Management Interrupt (SMI) handler. Specifically, Direct Memory Access (DMA) transactions targeting input buffers used by this handler can cause corruption of the System Management RAM (SMRAM). SMRAM is a protected memory region used by the system firmware to execute highly privileged code isolated from the operating system and other software. The vulnerability arises because the NvmExpressLegacy driver’s software SMI handler does not properly synchronize access to its input buffers during DMA operations, allowing an attacker to exploit the timing window between checking and using these buffers. This can lead to SMRAM corruption, potentially enabling privilege escalation or arbitrary code execution at the firmware level. The issue was discovered by Insyde engineering based on Intel iSTARE group’s description and affects multiple kernel versions, with fixes released in kernel 5.2 (05.27.25), 5.3 (05.36.25), 5.4 (05.44.25), and 5.5 (05.52.25). The vulnerability is tracked under CWE-367 (Time-of-check Time-of-use Race Condition) and has a CVSS 3.1 base score of 7.0, indicating high severity. Exploitation requires local access with low privileges but no user interaction, and the attack vector is local (AV:L), with high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild.

Potential Impact

For European organizations, this vulnerability poses a significant risk especially to systems running affected kernel versions with the NvmExpressLegacy driver enabled. Successful exploitation could allow attackers with local access to corrupt SMRAM, potentially leading to firmware-level compromise, bypassing OS security controls, and persistent malware implantation. This could result in loss of confidentiality of sensitive data, integrity breaches through unauthorized code execution, and availability issues due to system instability or firmware corruption. Critical infrastructure, government agencies, financial institutions, and enterprises relying on affected hardware and kernel versions are particularly at risk. The complexity of exploitation limits remote attacks, but insider threats or attackers with physical or local access could leverage this vulnerability to gain elevated privileges and maintain stealthy persistence, complicating incident response and forensic analysis.

Mitigation Recommendations

European organizations should prioritize updating their Linux kernels to versions 5.2 (05.27.25), 5.3 (05.36.25), 5.4 (05.44.25), or 5.5 (05.52.25) or later where the vulnerability is patched. Additionally, organizations should audit systems to identify the presence of the NvmExpressLegacy driver and disable it if not required, reducing the attack surface. Implement strict access controls to limit local user privileges and prevent unauthorized DMA-capable devices or users from accessing vulnerable input buffers. Employ hardware-based protections such as Input-Output Memory Management Units (IOMMUs) to restrict DMA transactions to authorized memory regions. Regularly monitor system logs and firmware integrity to detect anomalies indicative of SMRAM corruption attempts. For environments with high security requirements, consider firmware updates from hardware vendors that may further mitigate this class of vulnerabilities. Finally, incorporate this vulnerability into security awareness and insider threat programs to reduce risk from local attackers.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-06-18T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d983ac4522896dcbed6e6

Added to database: 5/21/2025, 9:09:14 AM

Last enriched: 7/2/2025, 3:13:32 AM

Last updated: 8/15/2025, 2:33:52 PM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats