CVE-2022-34391 - Vulnerability Details - OpenCVE

Dell Client BIOS Versions prior to the remediated version contain an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Dell	Alienware Area-51 R4 Alienware Area-51 R4 Firmware Alienware Area-51 R5 Alienware Area-51 R5 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:dell:alienware_area-51_r5_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:alienware_area-51_r5:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:dell:alienware_area-51_r4_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:alienware_area-51_r4:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-37346	Dell Client BIOS Versions prior to the remediated version contain an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.dell.com/support/kbdoc/000203882

History

Fri, 16 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2022-10-12T19:25:49.498Z

Updated: 2025-05-16T13:44:47.069Z

Reserved: 2022-06-23T00:00:00.000Z

Link: CVE-2022-34391

Vulnrichment

Updated: 2024-08-03T09:07:16.180Z

NVD

Status : Modified

Published: 2022-10-12T20:15:11.187

Modified: 2024-11-21T07:09:25.327

Link: CVE-2022-34391

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-34391", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "datePublished": "2022-10-12T19:25:49.498Z", "dateUpdated": "2025-05-16T13:44:47.069Z", "dateReserved": "2022-06-23T00:00:00.000Z"}, "containers": {"cna": {"datePublic": "2022-09-30T00:00:00.000Z", "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2022-10-12T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Dell Client BIOS Versions prior to the remediated version contain an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM."}], "affected": [{"vendor": "Dell", "product": "CPG BIOS", "versions": [{"version": "unspecified", "lessThan": "1.2.15", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/000203882"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer", "cweId": "CWE-119"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:07:16.180Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.dell.com/support/kbdoc/000203882", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-16T13:44:38.497984Z", "id": "CVE-2022-34391", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-16T13:44:47.069Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.dell.com/support/kbdoc/000203882", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:07:16.180Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-34391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-16T13:44:38.497984Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-16T13:44:43.036Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Dell", "product": "CPG BIOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.2.15", "versionType": "custom"}]}], "datePublic": "2022-09-30T00:00:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/000203882"}], "descriptions": [{"lang": "en", "value": "Dell Client BIOS Versions prior to the remediated version contain an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2022-10-12T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-34391", "state": "PUBLISHED", "dateUpdated": "2025-05-16T13:44:47.069Z", "dateReserved": "2022-06-23T00:00:00.000Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2022-10-12T19:25:49.498Z", "assignerShortName": "dell"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:alienware_area-51_r5_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1EA2C555-09DA-414E-8D45-EC918C8810BE", "versionEndExcluding": "2.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dell:alienware_area-51_r5:-:*:*:*:*:*:*:*", "matchCriteriaId": "2C06505A-EA9C-4F4A-8361-D115AE143358", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:alienware_area-51_r4_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "111F8269-8B83-41C1-8884-7888EDD0BF2E", "versionEndExcluding": "2.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dell:alienware_area-51_r4:-:*:*:*:*:*:*:*", "matchCriteriaId": "776E24AF-9F3A-48B4-87D2-277616AFD21E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Dell Client BIOS Versions prior to the remediated version contain an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM."}, {"lang": "es", "value": "Dell Client BIOS versiones anteriores a la corregida, contienen una vulnerabilidad de comprobaci\u00f3n de entrada inapropiada. Un usuario local malicioso y autenticado podr\u00eda explotar esta vulnerabilidad usando un SMI para conseguir una ejecuci\u00f3n de c\u00f3digo arbitrario en la SMRAM"}], "id": "CVE-2022-34391", "lastModified": "2024-11-21T07:09:25.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 6.0, "source": "security_alert@emc.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-12T20:15:11.187", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/000203882"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/000203882"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "security_alert@emc.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}