CVE-2022-26837

Vulnerability

Improper input validation exists in the BIOS firmware for certain Intel processors, including 9th, 10th, and 11th Generation Intel Core processors, Intel Xeon E and W Series, Intel Celeron, Intel Pentium, and Intel Atom processors (C3000, P5000, P5300). This vulnerability can be exploited by a privileged user to potentially escalate privileges via local access. Affected BIOS versions are those prior to the updates released in February 2023 as per Intel-SA-00717 [1].

Exploitation

An attacker must already have privileged access to the system (e.g., kernel or administrative rights) and the ability to load arbitrary code or modify BIOS settings. The exploitation requires local access to the machine, enabling the attacker to craft malicious inputs that bypass validation checks in the BIOS firmware, leading to code execution at a higher privilege level within the firmware or platform [1].

Impact

Successful exploitation allows the attacker to escalate privileges within the BIOS or platform firmware, potentially gaining control over low-level system functions, bypassing security mechanisms, and achieving persistent, stealthy control that persists across operating system reboots [1].

Mitigation

Intel released BIOS updates in February 2023 to address this issue. Affected users should update their system BIOS to the corrected versions provided by their device manufacturer. No workarounds are available. The vulnerability is not currently listed in KEV [1].