An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI_BOOT_SERVICES table before the USB SMI handler triggers. (This is not exploitable from code running in the operating system.)
CVE-2022-35408
HIGHNVD 8.28.2—Elevated
EchelonGraph scoreMEDIUM confidence
Score 8.2 from GitHub Security Advisory (severity: HIGH) published 2022-09-23. NVD baseline CVSS 8.2; sources differ by 0.0.
Triggered by: GitHub Security Advisory CVSS
Sources: ghsa, nvd
8.2
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
- High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.2Exploit: NoneExposed: 0
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 8.2
- EG Score
- 8.2(medium)
- EPSS
- 26.1%
- KEV
- Not listed
Published
September 22, 2022
Last Modified
May 27, 2025
References (6)
- cve@mitrehttps://binarly.io/advisories/BRLY-2022-022/index.html
- cve@mitrehttps://www.insyde.com/security-pledge
- cve@mitrehttps://www.insyde.com/security-pledge/SA-2022031
- af854a3a-2127-422b-91ae-364da2661108https://binarly.io/advisories/BRLY-2022-022/index.html
- af854a3a-2127-422b-91ae-364da2661108https://www.insyde.com/security-pledge
- af854a3a-2127-422b-91ae-364da2661108https://www.insyde.com/security-pledge/SA-2022031
Frequently asked(5)
What is CVE-2022-35408?
CVE-2022-35408 is a high vulnerability published on September 22, 2022. An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFIBOOTSERVICES…
When was CVE-2022-35408 disclosed?
CVE-2022-35408 was first published in the National Vulnerability Database on September 22, 2022, with the most recent update on May 27, 2025. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2022-35408 actively exploited?
CVE-2022-35408 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 26.1% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2022-35408?
CVE-2022-35408 has a CVSS v3 base score of 8.2 (NVD).
How do I remediate CVE-2022-35408?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2022-35408, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2022-35408
Is Your Infrastructure Affected by CVE-2022-35408?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.