Vulnerability-Lookup

CVE-2025-7026 (GCVE-0-2025-7026)

Vulnerability from cvelistv5 – Published: 2025-07-11 15:27 – Updated: 2026-02-26 17:50

Title

SMM Arbitrary Write via Unchecked RBX Pointer in CommandRcx0

Summary

A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., '$DB$' or '2DB$'), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise.

Severity

8.2 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-822 Untrusted Pointer Dereference

Assigner

certcc

References

4 references

URL	Tags
https://www.gigabyte.com/Support/Security
https://www.binarly.io/advisories/brly-dva-2025-008
https://kb.cert.org/vuls/id/746790
https://www.kb.cert.org/vuls/id/746790

Impacted products

1 product

Vendor	Product	Version
GIGABYTE	UEFI-GenericComponentSmmEntry	Affected: 1.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 8.2,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-7026",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-12T03:55:16.064357Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:50:43.390Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:07:19.993Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.kb.cert.org/vuls/id/746790"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "UEFI-GenericComponentSmmEntry",
          "vendor": "GIGABYTE",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., \u0027$DB$\u0027 or \u00272DB$\u0027), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-822 Untrusted Pointer Dereference",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T15:27:34.960Z",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "url": "https://www.gigabyte.com/Support/Security"
        },
        {
          "url": "https://www.binarly.io/advisories/brly-dva-2025-008"
        },
        {
          "url": "https://kb.cert.org/vuls/id/746790"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SMM Arbitrary Write via Unchecked RBX Pointer in CommandRcx0",
      "x_generator": {
        "engine": "VINCE 3.0.21",
        "env": "prod",
        "origin": "https://cveawg.mitre.org/api/cve/CVE-2025-7026"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2025-7026",
    "datePublished": "2025-07-11T15:27:34.960Z",
    "dateReserved": "2025-07-02T15:42:52.209Z",
    "dateUpdated": "2026-02-26T17:50:43.390Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-7026",
      "date": "2026-06-03",
      "epss": "0.00096",
      "percentile": "0.26504"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-7026\",\"sourceIdentifier\":\"cret@cert.org\",\"published\":\"2025-07-11T16:15:26.897\",\"lastModified\":\"2025-11-03T20:19:20.127\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., \u0027$DB$\u0027 or \u00272DB$\u0027), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en el controlador Software SMI (SwSmiInputValue 0xB2) permite a un atacante local controlar el registro RBX, que se utiliza como puntero sin control en la funci\u00f3n CommandRcx0. Si el contenido de RBX coincide con ciertos valores esperados (p. ej., \u0027$DB$\u0027 o \u00272DB$\u0027), la funci\u00f3n realiza escrituras arbitrarias en la RAM de administraci\u00f3n del sistema (SMRAM), lo que puede provocar una escalada de privilegios al modo de administraci\u00f3n del sistema (SMM) y una vulnerabilidad persistente del firmware.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.5,\"impactScore\":6.0}]},\"references\":[{\"url\":\"https://kb.cert.org/vuls/id/746790\",\"source\":\"cret@cert.org\"},{\"url\":\"https://www.binarly.io/advisories/brly-dva-2025-008\",\"source\":\"cret@cert.org\"},{\"url\":\"https://www.gigabyte.com/Support/Security\",\"source\":\"cret@cert.org\"},{\"url\":\"https://www.kb.cert.org/vuls/id/746790\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.kb.cert.org/vuls/id/746790\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T20:07:19.993Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-7026\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-12T03:55:16.064357Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-11T15:58:16.621Z\"}}], \"cna\": {\"title\": \"SMM Arbitrary Write via Unchecked RBX Pointer in CommandRcx0\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"affected\": [{\"vendor\": \"GIGABYTE\", \"product\": \"UEFI-GenericComponentSmmEntry\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\"}]}], \"references\": [{\"url\": \"https://www.gigabyte.com/Support/Security\"}, {\"url\": \"https://www.binarly.io/advisories/brly-dva-2025-008\"}, {\"url\": \"https://kb.cert.org/vuls/id/746790\"}], \"x_generator\": {\"env\": \"prod\", \"engine\": \"VINCE 3.0.21\", \"origin\": \"https://cveawg.mitre.org/api/cve/CVE-2025-7026\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., \u0027$DB$\u0027 or \u00272DB$\u0027), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-822 Untrusted Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"37e5125f-f79b-445b-8fad-9564f167944b\", \"shortName\": \"certcc\", \"dateUpdated\": \"2025-07-11T15:27:34.960Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-7026\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T17:50:43.390Z\", \"dateReserved\": \"2025-07-02T15:42:52.209Z\", \"assignerOrgId\": \"37e5125f-f79b-445b-8fad-9564f167944b\", \"datePublished\": \"2025-07-11T15:27:34.960Z\", \"assignerShortName\": \"certcc\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

BDU:2025-09304

Vulnerability from fstec - Published: 15.04.2025

Title

Уязвимость функции SwSmiInputValue() обработчика System Management Interrupt (SMI) микропрограммного обеспечения материнских плат Gigabyte, позволяющая нарушителю обойти ограничения безопасности, повысить свои привилегии и выполнить произвольный код

Description

Уязвимость функции SwSmiInputValue() обработчика System Management Interrupt (SMI) микропрограммного обеспечения материнских плат Gigabyte связана с разыменованием недоверенного указателя. Эксплуатация уязвимости может позволить нарушителю обойти ограничения безопасности, повысить свои привилегии и выполнить произвольный код

Severity


                    
                      AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Vendor

Gigabyte Technology Co., Ltd.

Software Name

GA-H110M-S2HP, Z590 GAMING X, H510M S2H V2, H510M S2H, GA-H110M-S2V, GA-H110M-S2H, H410M S2H V2 (rev. 1.9/2.1), H410M H V2 (rev. 1.9), GA-B150M-DS3H DDR3, GA-H110M-S2V DDR3, GA-H110M-S2 DDR3, H510M DS2, G1.Sniper M7, GA-B150-HD3P, GA-H110M-DS2 DDR3, Z390 AORUS PRO WIFI, Z390 AORUS PRO, Z490 AORUS MASTER, GA-H310TN-CM, H310M D3H, Z390 AORUS XTREME WATERFORCE, B360M D2V, B360M H, B360M GAMING HD, GA-H110M-D3H, GA-H110M-D3H R2 TPM, GA-H110M-D3H R2, B360 AORUS GAMING 3, B360 AORUS GAMING 3 WIFI, GA-B150-HD3 DDR3, H310M S2H, H310M DS2V, Z490 GAMING X AX, Z490 GAMING X, Z490 AORUS MASTER WATERFORCE, B460M H, B460M GAMING HD, GA-H110-D3A, B560 HD3, B460M DS3H AC, B460M AORUS PRO, H510M S2, B560M H V2, H510M DS2V, H510M H, Z490I AORUS ULTRA, GA-B150M-Gaming, B360 HD3P, GA-H110M-DS2 (rev. 1.0/1.1/1.2), H470M K, H410M K, H510M K V2, H510M S2H V3, H410M H V2, H410M S2 V2, H510M H V2, H510M S2 V2, H470M H, Z590 AORUS MASTER, GA-H110M-DS2V DDR3, GA-B150M-DS3H, Z390 AORUS XTREME, H410M S2H V3, H410M DS2V V3, H410M S2 V3, H410M H V3, GA-H110M-DS2, GA-B150M-D2V, Z490 VISION D, C621 AORUS XTREME, GA-H110TN-E, B360M DS3H, H410M S2H V2, H410M DS2V V2, H510M K, Z590 AORUS ELITE AX, Z590 AORUS ELITE

Software Version

F22f (2024-07-31) (GA-H110M-S2HP), F10 (2023-12-19) (Z590 GAMING X), F13 (2023-12-19) (H510M S2H V2), F17 (2023-12-19) (H510M S2H), F26a (2024-07-31) (GA-H110M-S2V), F26g (2024-07-31) (GA-H110M-S2H), FA (2024-07-03) (H410M S2H V2 (rev. 1.9/2.1)), FA (2024-07-09) (H410M H V2 (rev. 1.9)), F21f (2024-07-31) (GA-B150M-DS3H DDR3), F21e (2024-07-31) (GA-H110M-S2V DDR3), F20g (2024-07-31) (GA-H110M-S2 DDR3), F15 (2023-12-19) (H510M DS2), F20h (2024-07-31) (G1.Sniper M7), F24h (2024-07-31) (GA-B150-HD3P), F20g (2024-07-31) (GA-H110M-DS2 DDR3), F13 (2024-01-11) (Z390 AORUS PRO WIFI), F13 (2024-01-11) (Z390 AORUS PRO), F23 (2023-12-20) (Z490 AORUS MASTER), F17 (2024-01-11) (GA-H310TN-CM), F5 (2024-01-11) (H310M D3H), F8 (2024-01-11) (Z390 AORUS XTREME WATERFORCE), F16 (2024-01-10) (B360M D2V), F16 (2024-01-10) (B360M H), F16 (2024-01-10) (B360M GAMING HD), F22f (2024-07-31) (GA-H110M-D3H), F22e (2024-07-31) (GA-H110M-D3H R2 TPM), F24a (2024-07-31) (GA-H110M-D3H R2), F16 (2024-01-10) (B360 AORUS GAMING 3), F16 (2024-01-10) (B360 AORUS GAMING 3 WIFI), F20h (2024-07-31) (GA-B150-HD3 DDR3), F18 (2024-01-11) (H310M S2H), FQ (2024-01-11) (H310M S2H), F17 (2024-01-11) (H310M DS2V), F23 (2023-12-20) (Z490 GAMING X AX), F23 (2023-12-20) (Z490 GAMING X), F23 (2023-12-20) (Z490 AORUS MASTER WATERFORCE), F5 (2024-01-04) (B460M H), F7 (2024-01-04) (B460M GAMING HD), F26a (2024-07-31) (GA-H110-D3A), F17 (2023-12-19) (B560 HD3), F7 (2024-01-04) (B460M DS3H AC), F8 (2024-01-04) (B460M AORUS PRO), F16 (2023-12-19) (H510M S2), F4 (2023-12-19) (B560M H V2), F16 (2023-12-19) (H510M DS2V), F19 (2023-12-19) (H510M H), F23 (2023-12-20) (Z490I AORUS ULTRA), F20h (2024-07-31) (GA-B150M-Gaming), F16 (2024-01-11) (B360 HD3P), F28b (2024-07-31) (GA-H110M-DS2 (rev. 1.0/1.1/1.2)), F8 (2023-12-20) (H470M K), FC (2023-12-20) (H410M K), F3 (2023-12-20) (H510M K V2), F3 (2023-12-20) (H510M S2H V3), FC (2023-12-20) (H410M H V2), F5 (2024-01-04) (H410M H V2), FC (2023-12-20) (H410M S2 V2), F5 (2024-01-04) (H410M S2 V2), F3 (2023-12-20) (H510M H V2), F3 (2023-12-20) (H510M S2 V2), F5 (2023-12-20) (H470M H), F10 (2023-12-19) (Z590 AORUS MASTER), F22a (2024-07-31) (GA-H110M-DS2V DDR3), F22h (2024-07-31) (GA-B150M-DS3H), F10 (2024-01-11) (Z390 AORUS XTREME), F9 (2023-12-20) (H410M S2H V3), F9 (2023-12-20) (H410M DS2V V3), F9 (2023-12-20) (H410M S2 V3), F9 (2023-12-20) (H410M H V3), FCa (2024-07-31) (GA-H110M-DS2), F22f (2024-07-31) (GA-B150M-D2V), F23 (2023-12-20) (Z490 VISION D), F4b (2024-08-22) (C621 AORUS XTREME), F23f (2024-07-31) (GA-H110TN-E), F19 (2024-01-10) (B360M DS3H), F6 (2024-01-04) (H410M S2H V2), F5 (2024-01-04) (H410M DS2V V2), F6 (2023-12-19) (H510M K), F10 (2023-12-19) (Z590 AORUS ELITE AX), F8 (2023-12-19) (Z590 AORUS ELITE)

Possible Mitigations

Использование рекомендаций производителя: https://www.gigabyte.com/Support/Security/2302

Reference

https://www.gigabyte.com/Support/Security/2302 https://vuldb.com/?id.316178 https://www.binarly.io/advisories/brly-dva-2025-008

CWE

CWE-822

JSON

To clipboard

{
  "CVSS 2.0": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
  "CVSS 3.0": "AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Gigabyte Technology Co., Ltd.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "F22f (2024-07-31) (GA-H110M-S2HP), F10 (2023-12-19) (Z590 GAMING X), F13 (2023-12-19) (H510M S2H V2), F17 (2023-12-19) (H510M S2H), F26a (2024-07-31) (GA-H110M-S2V), F26g (2024-07-31) (GA-H110M-S2H), FA (2024-07-03) (H410M S2H V2 (rev. 1.9/2.1)), FA (2024-07-09) (H410M H V2 (rev. 1.9)), F21f (2024-07-31) (GA-B150M-DS3H DDR3), F21e (2024-07-31) (GA-H110M-S2V DDR3), F20g (2024-07-31) (GA-H110M-S2 DDR3), F15 (2023-12-19) (H510M DS2), F20h (2024-07-31) (G1.Sniper M7), F24h (2024-07-31) (GA-B150-HD3P), F20g (2024-07-31) (GA-H110M-DS2 DDR3), F13 (2024-01-11) (Z390 AORUS PRO WIFI), F13 (2024-01-11) (Z390 AORUS PRO), F23 (2023-12-20) (Z490 AORUS MASTER), F17 (2024-01-11) (GA-H310TN-CM), F5 (2024-01-11) (H310M D3H), F8 (2024-01-11) (Z390 AORUS XTREME WATERFORCE), F16 (2024-01-10) (B360M D2V), F16 (2024-01-10) (B360M H), F16 (2024-01-10) (B360M GAMING HD), F22f (2024-07-31) (GA-H110M-D3H), F22e (2024-07-31) (GA-H110M-D3H R2 TPM), F24a (2024-07-31) (GA-H110M-D3H R2), F16 (2024-01-10) (B360 AORUS GAMING 3), F16 (2024-01-10) (B360 AORUS GAMING 3 WIFI), F20h (2024-07-31) (GA-B150-HD3 DDR3), F18 (2024-01-11) (H310M S2H), FQ (2024-01-11) (H310M S2H), F17 (2024-01-11) (H310M DS2V), F23 (2023-12-20) (Z490 GAMING X AX), F23 (2023-12-20) (Z490 GAMING X), F23 (2023-12-20) (Z490 AORUS MASTER WATERFORCE), F5 (2024-01-04) (B460M H), F7 (2024-01-04) (B460M GAMING HD), F26a (2024-07-31) (GA-H110-D3A), F17 (2023-12-19) (B560 HD3), F7 (2024-01-04) (B460M DS3H AC), F8 (2024-01-04) (B460M AORUS PRO), F16 (2023-12-19) (H510M S2), F4 (2023-12-19) (B560M H V2), F16 (2023-12-19) (H510M DS2V), F19 (2023-12-19) (H510M H), F23 (2023-12-20) (Z490I AORUS ULTRA), F20h (2024-07-31) (GA-B150M-Gaming), F16 (2024-01-11) (B360 HD3P), F28b (2024-07-31) (GA-H110M-DS2 (rev. 1.0/1.1/1.2)), F8 (2023-12-20) (H470M K), FC (2023-12-20) (H410M K), F3 (2023-12-20) (H510M K V2), F3 (2023-12-20) (H510M S2H V3), FC (2023-12-20) (H410M H V2), F5 (2024-01-04) (H410M H V2), FC (2023-12-20) (H410M S2 V2), F5 (2024-01-04) (H410M S2 V2), F3 (2023-12-20) (H510M H V2), F3 (2023-12-20) (H510M S2 V2), F5 (2023-12-20) (H470M H), F10 (2023-12-19) (Z590 AORUS MASTER), F22a (2024-07-31) (GA-H110M-DS2V DDR3), F22h (2024-07-31) (GA-B150M-DS3H), F10 (2024-01-11) (Z390 AORUS XTREME), F9 (2023-12-20) (H410M S2H V3), F9 (2023-12-20) (H410M DS2V V3), F9 (2023-12-20) (H410M S2 V3), F9 (2023-12-20) (H410M H V3), FCa (2024-07-31) (GA-H110M-DS2), F22f (2024-07-31) (GA-B150M-D2V), F23 (2023-12-20) (Z490 VISION D), F4b (2024-08-22) (C621 AORUS XTREME), F23f (2024-07-31) (GA-H110TN-E), F19 (2024-01-10) (B360M DS3H), F6 (2024-01-04) (H410M S2H V2), F5 (2024-01-04) (H410M DS2V V2), F6 (2023-12-19) (H510M K), F10 (2023-12-19) (Z590 AORUS ELITE AX), F8 (2023-12-19) (Z590 AORUS ELITE)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://www.gigabyte.com/Support/Security/2302",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "15.04.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "01.08.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "01.08.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-09304",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-7026",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "GA-H110M-S2HP, Z590 GAMING X, H510M S2H V2, H510M S2H, GA-H110M-S2V, GA-H110M-S2H, H410M S2H V2 (rev. 1.9/2.1), H410M H V2 (rev. 1.9), GA-B150M-DS3H DDR3, GA-H110M-S2V DDR3, GA-H110M-S2 DDR3, H510M DS2, G1.Sniper M7, GA-B150-HD3P, GA-H110M-DS2 DDR3, Z390 AORUS PRO WIFI, Z390 AORUS PRO, Z490 AORUS MASTER, GA-H310TN-CM, H310M D3H, Z390 AORUS XTREME WATERFORCE, B360M D2V, B360M H, B360M GAMING HD, GA-H110M-D3H, GA-H110M-D3H R2 TPM, GA-H110M-D3H R2, B360 AORUS GAMING 3, B360 AORUS GAMING 3 WIFI, GA-B150-HD3 DDR3, H310M S2H, H310M DS2V, Z490 GAMING X AX, Z490 GAMING X, Z490 AORUS MASTER WATERFORCE, B460M H, B460M GAMING HD, GA-H110-D3A, B560 HD3, B460M DS3H AC, B460M AORUS PRO, H510M S2, B560M H V2, H510M DS2V, H510M H, Z490I AORUS ULTRA, GA-B150M-Gaming, B360 HD3P, GA-H110M-DS2 (rev. 1.0/1.1/1.2), H470M K, H410M K, H510M K V2, H510M S2H V3, H410M H V2, H410M S2 V2, H510M H V2, H510M S2 V2, H470M H, Z590 AORUS MASTER, GA-H110M-DS2V DDR3, GA-B150M-DS3H, Z390 AORUS XTREME, H410M S2H V3, H410M DS2V V3, H410M S2 V3, H410M H V3, GA-H110M-DS2, GA-B150M-D2V, Z490 VISION D, C621 AORUS XTREME, GA-H110TN-E, B360M DS3H, H410M S2H V2, H410M DS2V V2, H510M K, Z590 AORUS ELITE AX, Z590 AORUS ELITE",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 SwSmiInputValue() \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0430 System Management Interrupt (SMI) \u043c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u043c\u0430\u0442\u0435\u0440\u0438\u043d\u0441\u043a\u0438\u0445 \u043f\u043b\u0430\u0442 Gigabyte, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043d\u0430\u0434\u0435\u0436\u043d\u043e\u0435 \u0440\u0430\u0437\u044b\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044f (CWE-822)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 SwSmiInputValue() \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0430 System Management Interrupt (SMI) \u043c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u043c\u0430\u0442\u0435\u0440\u0438\u043d\u0441\u043a\u0438\u0445 \u043f\u043b\u0430\u0442 Gigabyte \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0440\u0430\u0437\u044b\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u043e\u0433\u043e \u0443\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044f. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.gigabyte.com/Support/Security/2302\nhttps://vuldb.com/?id.316178\nhttps://www.binarly.io/advisories/brly-dva-2025-008",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-822",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,2)"
}

FKIE_CVE-2025-7026

Vulnerability from fkie_nvd - Published: 2025-07-11 16:15 - Updated: 2026-04-15 00:35

Severity

8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	cret@cert.org	https://kb.cert.org/vuls/id/746790
	cret@cert.org	https://www.binarly.io/advisories/brly-dva-2025-008
	cret@cert.org	https://www.gigabyte.com/Support/Security
	af854a3a-2127-422b-91ae-364da2661108	https://www.kb.cert.org/vuls/id/746790

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., \u0027$DB$\u0027 or \u00272DB$\u0027), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en el controlador Software SMI (SwSmiInputValue 0xB2) permite a un atacante local controlar el registro RBX, que se utiliza como puntero sin control en la funci\u00f3n CommandRcx0. Si el contenido de RBX coincide con ciertos valores esperados (p. ej., \u0027$DB$\u0027 o \u00272DB$\u0027), la funci\u00f3n realiza escrituras arbitrarias en la RAM de administraci\u00f3n del sistema (SMRAM), lo que puede provocar una escalada de privilegios al modo de administraci\u00f3n del sistema (SMM) y una vulnerabilidad persistente del firmware."
    }
  ],
  "id": "CVE-2025-7026",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.5,
        "impactScore": 6.0,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-11T16:15:26.897",
  "references": [
    {
      "source": "cret@cert.org",
      "url": "https://kb.cert.org/vuls/id/746790"
    },
    {
      "source": "cret@cert.org",
      "url": "https://www.binarly.io/advisories/brly-dva-2025-008"
    },
    {
      "source": "cret@cert.org",
      "url": "https://www.gigabyte.com/Support/Security"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.kb.cert.org/vuls/id/746790"
    }
  ],
  "sourceIdentifier": "cret@cert.org",
  "vulnStatus": "Deferred"
}

GHSA-G884-34R9-CWXQ

Vulnerability from github – Published: 2025-07-11 18:30 – Updated: 2025-11-03 21:34

Details

Severity

8.2 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-7026"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-11T16:15:26Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., \u0027$DB$\u0027 or \u00272DB$\u0027), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise.",
  "id": "GHSA-g884-34r9-cwxq",
  "modified": "2025-11-03T21:34:05Z",
  "published": "2025-07-11T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7026"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/746790"
    },
    {
      "type": "WEB",
      "url": "https://www.binarly.io/advisories/brly-dva-2025-008"
    },
    {
      "type": "WEB",
      "url": "https://www.gigabyte.com/Support/Security"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/746790"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-7026 (GCVE-0-2025-7026)

BDU:2025-09304

FKIE_CVE-2025-7026

GHSA-G884-34R9-CWXQ

Tags

Sightings

Nomenclature