CVE-2025-7029

Vulnerability

Overview

A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) in Gigabyte's OverClockSmiHandler module allows a local attacker to control the RBX register. The RBX value is used to derive the OcHeader and OcData pointers that are subsequently passed into power and thermal configuration logic [1][2]. These pointers are not validated before multiple structured memory writes based on OcSetup NVRAM values are performed, leading to arbitrary SMRAM corruption [1].

Exploitation

An attacker with local access and administrative privileges (PR:H) can trigger this SMI handler, supplying a crafted RBX value through the CPU's save state registers [2]. No user interaction is required beyond the authenticated local session. The lack of input validation on the derived pointers means the attacker can cause writes to arbitrary locations within SMRAM [1][2].

Impact

Successful exploitation results in arbitrary SMRAM corruption, which can be leveraged to achieve System Management Mode (SMM) privilege escalation. SMM is one of the most privileged processor execution environments; an attacker who gains code execution in SMM can subvert the entire platform, including the OS, hypervisor, and firmware [2].

Mitigation

This vulnerability was identified in multiple Gigabyte motherboards (e.g., GA-H110M-S2HP, GA-B150M-D2V) running firmware versions from July 2024 [1]. According to CERT/CC, AMI previously addressed related issues, but they have re-surfaced in Gigabyte's firmware and are now being publicly disclosed [2]. Gigabyte has not yet released a public advisory, but affected users should monitor for firmware updates and apply them when available [1][2].