CVE-2025-7026

Vulnerability

A flaw exists in the Software SMI handler triggered by SwSmiInputValue 0xB2 on certain Gigabyte motherboards. The handler passes the RBX register as a pointer into the CommandRcx0 function without proper validation. If the memory at the RBX address contains specific magic values (e.g., '$DB$' or '2DB$'), the function performs arbitrary writes to System Management RAM (SMRAM) [1]. This unchecked pointer usage bypasses SMRAM protections.

Exploitation

Exploitation requires local administrative access (privilege level HIGH) and the ability to trigger the vulnerable SMI handler. An attacker can set the RBX register to point to attacker-controlled memory containing the expected magic values, causing the handler to write arbitrary data to SMRAM. The attack is executed from Ring 0 (kernel) or via a kernel-mode driver, with no user interaction needed [2].

Impact

Successful exploitation grants an attacker arbitrary code execution within System Management Mode (SMM), the most privileged CPU mode. From SMM, the attacker can read/write all system memory, install persistent firmware implants, and bypass operating system security controls. The compromise persists across reboots and may evade standard OS-level detection [2]. Multiple Gigabyte models spanning H110, H410, H510, Z590, and B150 chipsets are confirmed affected [1].

Mitigation

Gigabyte has not released a patch as of the publication date; the vulnerability was originally addressed by AMI but later reintroduced in Gigabyte firmware [3]. Affected users should monitor vendor advisories for firmware updates and limit local administrative access where possible. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of now.