CVE-2025-7028

Vulnerability

The vulnerability resides in the Software SMI handler for SwSmiInputValue 0x20 within Gigabyte UEFI firmware. The handler accepts pointer values from the RBX and RCX registers without validation, using them as a FuncBlock structure that is passed to flash management functions such as ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo. These functions dereference both the structure and its nested BufAddr member, allowing an attacker to control flash operations with arbitrary pointers [1].

Exploitation

An attacker requires local access and the ability to trigger the SMI handler, typically achieved through kernel-level code or during early boot phases. By crafting RBX and RCX register values, the attacker can supply a malicious FuncBlock pointer. The lack of checks on the pointer's validity permits the attacker to specify arbitrary SMRAM addresses, leading to read/write operations outside the intended buffer [2].

Impact

Successful exploitation enables arbitrary read and write access to System Management RAM (SMRAM). This can result in corruption of firmware memory, exfiltration of sensitive SMRAM content via flash operations, or installation of persistent implants that survive OS reboots, potentially compromising the entire system's security [1][2].

Mitigation

Binarly reported the vulnerability to CERT/CC, and affected Gigabyte devices (e.g., GA-IMB1900N, GA-J1800M-D2P-IN) have been identified. As of publication, vendors are expected to release firmware updates. Users should check for patches from their device manufacturer [1].