CVE-2025-7027
Description
A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control both the read and write addresses used by the CommandRcx1 function. The write target is derived from an unvalidated UEFI NVRAM variable (SetupXtuBufferAddress), while the write content is read from an attacker-controlled pointer based on the RBX register. This dual-pointer dereference enables arbitrary memory writes within System Management RAM (SMRAM), leading to potential SMM privilege escalation and firmware compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A local attacker can use an unvalidated NVRAM variable and RBX register to write arbitrary data into SMRAM via a Software SMI handler, leading to SMM privilege escalation.
Vulnerability
Overview
CVE-2025-7027 is a high-severity (CVSS 8.2) vulnerability affecting System Management Mode (SMM) firmware on multiple Gigabyte motherboards. The root cause is a Software SMI handler (SwSmiInputValue 0xB2) that performs a dual-pointer dereference during a SMRAM write operation [1][2]. The write target address is derived from an unvalidated UEFI NVRAM variable (SetupXtuBufferAddress), and the content to be written is read from an attacker-controlled pointer based on the RBX register [1]. This combination allows an attacker with local high privileges to craft both the destination and payload of a memory write into System Management RAM (SMRAM).
Exploitation
Details
An attacker who already has elevated (e.g., kernel-level) access on the system can invoke the vulnerable SMI handler through a software interrupt. By controlling the RBX register (e.g., via a CPU save state during SMI) and by setting the SetupXtuBufferAddress NVRAM variable to an arbitrary SMRAM address, the attacker triggers an arbitrary write of attacker-supplied data into SMRAM [1][2]. The attacker must have local access and sufficient privileges to trigger the SMI and manipulate NVRAM, but no additional authentication on the victim system is required once those privileges are obtained.
Impact
Successful exploitation allows the attacker to write arbitrary data into SMRAM, which is normally protected from non-SMM code [2][3]. This can lead to full compromise of the SMM environment, enabling the attacker to bypass OS-level security measures, install persistent firmware implants, or modify low-level system behavior (e.g., secure boot, virtual machine monitors) [2]. The impact is compounded because SMM code runs in the highest privilege (ring -2), so gaining SMM execution effectively grants total control over the platform.
Mitigation
Status
The vulnerability affects multiple Gigabyte motherboard models using AMI firmware, including the GA-H110M-S2HP, Z590 GAMING X, H510M series, and others [1]. The original AMI firmware supplier had previously addressed related issues, but the flaws resurfaced in Gigabyte's custom builds [2]. As of the advisory date (July 2025), users are advised to check for firmware updates from Gigabyte; a permanent fix requires vendors to validate the NVRAM variable and RBX pointer before performing the write [1][2]. The vulnerability is not known to be on the CISA KEV list.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.