Advisory ID:
BRLY-2025-009

SMM memory corruption vulnerability in SMM module on Gigabyte device (SMRAM write)

July 9, 2025
Severity:
High
CVSS Score
8.2
Public Disclosure Date:
July 9, 2025
CVE ID:

CVE-2025-7027

Summary

BINARLY REsearch team has discovered memory corruption vulnerability in Gigabyte device firmware that could allow a potential attacker to write fixed or predictable data to an attacker-controlled address.
Vendors Affected Icon

Vendors Affected

AMI
Gigabyte
AMI
,
Gigabyte
,
Affected Products icon

Affected Products

Multiple

Potential Impact

An attacker could exploit this vulnerability to elevate privileges from ring 0 to ring -2 and execute arbitrary code in System Management Mode, an environment more privileged than and completely isolated from the operating system (OS). Running arbitrary code in SMM also bypasses SMM-based SPI flash protections against modification, which can help an attacker to install a firmware backdoor/implant. Such malicious code in the firmware could persist through operating system reinstallations. In addition, this vulnerability could potentially be used by malicious actors to bypass security mechanisms provided by UEFI firmware, such as Secure Boot and some types of memory isolation for hypervisors.

Vulnerability Information

  • BINARLY internal vulnerability identifier: BRLY-2025-009
  • CERT/CC assigned CVE identifier: CVE-2025-7027
  • CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected firmware with confirmed impact by BINARLY team

Device Version OEM IBV Name Kind
GA-H110M-S2HP F22f (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 GAMING X F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H510M S2H V2 F13 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H510M S2H F17 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2V F26a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2H F26g (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2H V2 (rev. 1.9/2.1) FA (2024-07-03) Gigabyte AMI GenericComponentSmmEntry SMM
H410M H V2 (rev. 1.9) FA (2024-07-09) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-DS3H DDR3 F21f (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2V DDR3 F21e (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2 DDR3 F20g (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
H510M DS2 F15 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
G1.Sniper M7 F20h (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150-HD3P F24h (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-DS2 DDR3 F20g (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 AORUS PRO WIFI F13 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 AORUS PRO F13 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 AORUS MASTER F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H310TN-CM F17 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H310M D3H F5 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 AORUS XTREME WATERFORCE F8 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
B360M D2V F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
B360M H F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
B360M GAMING HD F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-D3H F22f (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-D3H R2 TPM F22e (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-D3H R2 F24a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
B360 AORUS GAMING 3 F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
B360 AORUS GAMING 3 WIFI F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150-HD3 DDR3 F20h (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
H310M S2H F18 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H310M DS2V F17 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H310M S2H FQ (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 GAMING X AX F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 GAMING X F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 AORUS MASTER WATERFORCE F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
B460M H F5 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
B460M GAMING HD F7 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110-D3A F26a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
B560 HD3 F17 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B460M DS3H AC F7 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
B460M AORUS PRO F8 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H510M S2 F16 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B560M H V2 F4 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H510M DS2V F16 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H510M H F19 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z490I AORUS ULTRA F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-Gaming F20h (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
B360 HD3P F16 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-DS2 (rev. 1.0/1.1/1.2) F28b (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
H470M K F8 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H410M K FC (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H510M K V2 F3 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H510M S2H V3 F3 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H410M H V2 FC (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2 V2 FC (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H510M H V2 F3 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H510M S2 V2 F3 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H470M H F5 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 AORUS MASTER F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-DS2V DDR3 F22a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-DS3H F22h (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 AORUS XTREME F10 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2H V3 F9 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H410M DS2V V3 F9 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2 V3 F9 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H410M H V3 F9 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-DS2 FCa (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-D2V F22f (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 VISION D F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
C621 AORUS XTREME F4b (2024-08-22) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110TN-E F23f (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
B360M DS3H F19 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2H V2 F6 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M DS2V V2 F5 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2 V2 F5 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M H V2 F5 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H510M K F6 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 AORUS ELITE AX F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 AORUS ELITE F8 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B460M DS3H V2 F26 (2024-02-27) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150N-GSM F24b (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z490M GAMING X F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z490M F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-D3V DDR3 F20h (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
B460M D2V F8 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 GAMING X F11 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H470M DS3H F25 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 AORUS XTREME WATERFORCE 5G F5 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2PV F26a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2PT F25a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2H DDR3 F21a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
H510M DS2V FF (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H510M S2 FF (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H510M H FF (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
C246-WU4 F8 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 AORUS PRO AX F11 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 AORUS XTREME WATERFORCE F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H410M K (rev. 1.2) F2 (2024-11-05) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 AORUS ULTRA F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 AORUS ULTRA G2 F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 AORUS XTREME F14 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B560M DS3H F11 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B560M DS3H V2 F11 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B560M DS3H PLUS F9 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 AORUS ELITE F24 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 AORUS ELITE AC F24 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110MSTX-HD3-ZK F26a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2H V2 F5 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M H V2 (rev. 2.0) F5 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2 V2 F5 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-D3H F25d (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
H510M S2H V2 FF (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z590M GAMING X F9 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110TN-M F23f (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110TN-CM F26a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 VISION G F9 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 I AORUS PRO WIFI F9 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
B560M DS3H AC F14 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 UD V2 F3 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
B360M D3V F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
H510M HD3P F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
C246N-WU2 F4 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150-HD3 F23f (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-A F25a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-H (rev. 1.0/1.1/1.2) F28a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-M.2 F25a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
B560M H F13 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B560M GAMING HD F14 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B560M POWER F14 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B560M D2V F14 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
W480 VISION W F24 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H370 AORUS GAMING 3 WIFI F15 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H370 AORUS GAMING 3 F15 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
B360 HD3 F17 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2 V3 FF (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H410M DS2V V3 FF (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H410M H V3 FF (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2H V3 FF (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
W480 VISION D F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H310M S2V F16 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H310M S2 F18 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-D3H DDR3 F21a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
B560M AORUS PRO AX F14 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B560M AORUS PRO F11 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H370M D3H F15 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H370M D3H GSM F15 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H370M DS3H F15 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H310TN-R2 F4 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-D3V F22f (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-D2V DDR3 F20g (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-Gaming 3 F26a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-X150M-PRO ECC F22i (2024-08-14) Gigabyte AMI GenericComponentSmmEntry SMM
B460M D3H F7 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2 F27b (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Q370M D3H GSM PLUS F16 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110N F25a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 VISION G F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
B360N WIFI F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-WW F25a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
H310M M.2 2.0 FB (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
G1.Sniper B7 F22g (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 D F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 AORUS ELITE F11 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
B460M AORUS ELITE F7 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H510M A F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H410M HD3P FB (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H470I AORUS PRO AX F25 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 AORUS TACHYON F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B560M AORUS ELITE F12 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
W480M VISION W F24 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 AORUS XTREME WATERFORCE F9 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H310 D3 F19 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 UD AC F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 UD F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H310M H F20 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H370N WIFI F16 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 AORUS PRO AX F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
B360N AORUS GAMING WIFI F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
H310M HD2 F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 D F4 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-H DDR3 F25a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110-D3 F25a (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2PV DDR3 F20g (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
B360 M AORUS PRO F6 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2PH DDR3 F20g (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
H310M A F16 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H410M K F6 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
B460M DS3H F7 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M H F8 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2 F9 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 UD F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 UD AC F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2H V2 FH (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M DS2V V2 FF (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M H V2 FH (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2 V2 FH (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150N Phoenix-WIFI F22f (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150N Phoenix F20h (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 AORUS ULTRA F9 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B460M POWER F7 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
B560I AORUS PRO AX F13 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H510M S2P F14 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B560M D3H F12 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z590I VISION D F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
H470 AORUS PRO AX F25 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
GA-X170-EXTREME ECC F21h (2024-08-01) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H310MSTX-HD3 F7 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
B460 AORUS PRO AC F9 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M S2H F8 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
H410M DS2V F6 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-DS2V F25b (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 UD F11 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
B560 AORUS PRO AX F13 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
C246M-WU4 F7 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B560M-D3P F11 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 M GAMING F10 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H410M HD3P F8 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
Z590I AORUS ULTRA F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 AORUS MASTER F12 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H310N F18 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
B360M HD3 F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
B360M D3P F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 AORUS ULTRA F11 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H470 HD3 F25 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
Z490 AORUS XTREME F23 (2023-12-20) Gigabyte AMI GenericComponentSmmEntry SMM
H310M DS2 F21 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
H310M S2P F23 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-DS3P F22f (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z590M F9 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-HD3 F22g (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
B460 HD3 F6 (2024-01-04) Gigabyte AMI GenericComponentSmmEntry SMM
Q570M D3H F11 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
GA-H110M-S2PH F28b (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
H370 HD3 F16 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
Z590 VISION D F10 (2023-12-19) Gigabyte AMI GenericComponentSmmEntry SMM
B360M D3H F16 (2024-01-10) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 DESIGNARE F10 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 M F7 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM
GA-B150M-HD3 DDR3 F20i (2024-07-31) Gigabyte AMI GenericComponentSmmEntry SMM
Z390 GAMING SLI F11 (2024-01-11) Gigabyte AMI GenericComponentSmmEntry SMM

Vulnerability description

Let's consider the module 5f42fc844985adaf4dcb21aeced55f40128e33ef454607f910cbedf7e9e08c4a.

The pseudocode of the vulnerable function at 0x179B8 is shown below (SwSmiInputValue: 0xB2):

EFI_STATUS SwSmiHandler(
        EFI_HANDLE DispatchHandle,
        const void *Context,
        EFI_SMM_SW_CONTEXT *CommBuffer,
        UINTN *CommBufferSize)
{
  UINTN SwSmiCpuIndex;
  INT32 Result;
  UINT32 RbxRegister;
  UINT32 RcxRegister;
  UINT32 Value;

  Value = 0;
  if ( CommBuffer && CommBufferSize )
    SwSmiCpuIndex = CommBuffer->SwSmiCpuIndex;
  else
    SwSmiCpuIndex = Value;
  if ( SwSmiCpuIndex != -1 )
  {
    // 1. read buffer address in RbxRegister
    gEfiSmmCpuProtocol->ReadSaveState(
      gEfiSmmCpuProtocol,
      4,
      EFI_SMM_SAVE_STATE_REGISTER_RBX,
      SwSmiCpuIndex,
      &RbxRegister);

    // 2. read command in RcxRegister
    gEfiSmmCpuProtocol->ReadSaveState(
      gEfiSmmCpuProtocol,
      4,
      EFI_SMM_SAVE_STATE_REGISTER_RCX,
      SwSmiCpuIndex,
      &RcxRegister);

    if ( RcxRegister )
    {
      if ( RcxRegister != 1 )
      {
        Value = 0x8004;
_WriteRbx:
        gEfiSmmCpuProtocol->WriteSaveState(
          gEfiSmmCpuProtocol,
          4,
          EFI_SMM_SAVE_STATE_REGISTER_RBX,
          SwSmiCpuIndex,
          &Value);
        return 0;
      }
      // vulnerable function
      Result = CommandRcx1(RbxRegister);
    }
    else
    {
      Result = CommandRcx0(RbxRegister);
    }
    Value = Result;
    if ( (Result - 0x9001) <= 1 )
    {
      gEfiSmmCpuProtocol->WriteSaveState(
        gEfiSmmCpuProtocol,
        4,
        EFI_SMM_SAVE_STATE_REGISTER_RCX,
        SwSmiCpuIndex,
        &Value);
      Value = 0xFFFF;
    }
    goto _WriteRbx;
  }
  return 0;
}

As we can see from the pseudocode, this handler defines the following logic:

  • read command from EFI_SMM_SAVE_STATE_REGISTER_RCX in RcxRegister variable
  • read buffer address from EFI_SMM_SAVE_STATE_REGISTER_RBX in RbxRegister variable
  • execute CommandRcx1 or CommandRcx0 depending on RcxRegister (command) value

The pseudocode of the CommandRcx1 function is shown below:

INT32 CommandRcx1(BIOS_SETTINGS_DATA_HEADER *RbxRegister)
{
  if ( RbxRegister->Signature != '2DB$' )
    return 0x8001;
  GetSetupXtuBufferAddress(&SetupXtuBufferAddress);
  ControlledPtrFromVariable = SetupXtuBufferAddress;
  ControlledPtrFromSaveState = RbxRegister + 1;
  if ( RbxRegister->Count )
  {
    Count = RbxRegister->Count;
    do
    {
      Sig = ControlledPtrFromSaveState->Signature;
      if ( (LOBYTE(ControlledPtrFromSaveState->Signature) - 7) > 7 )
      {
        if ( Sig == 15 )
        {
          Res = 7;
        }
        else if ( (Sig - 0x1A) > 9 )
        {
          Val = ControlledPtrFromSaveState->Signature;
          if ( Sig == 0x19 )
            Val = '#';
          Res = Val;
        }
        else
        {
          Res = Sig - 1;
        }
      }
      else
      {
        Res = Sig + 1;
      }
      Length = ControlledPtrFromSaveState->Length;
      ControlledPtrFromSaveState = (ControlledPtrFromSaveState + 8);
      // SMRAM write and limited SMRAM read,
      // SetupXtuBufferAddress and ControlledPtrFromSaveState are not validated
      *(ControlledPtrFromVariable + 2 * Res + 0xC) = Length;
      --Count;
    }
    while ( Count );
  }
  ...
}

EFI_STATUS GetSetupXtuBufferAddress(UINT64 *SetupXtuBufferAddressOut)
{
  UINT64 SetupXtuBufferAddress;
  UINTN DataSize;

  SetupXtuBufferAddress = 0;
  DataSize = 8;
  gRT->GetVariable(L"SetupXtuBufferAddress", &gVendorGuid, 0, &DataSize, &SetupXtuBufferAddress);
  *SetupXtuBufferAddressOut = SetupXtuBufferAddress;
  return 0;
}

As we can see from the pseudo code:

  • ControlledPtrFromVariable - address obtained from SetupXtuBufferAddress NVRAM variable value
  • ControlledPtrFromSaveState - address obtained from attacker controlled RbxRegister value

The following code allows an attacker to write controllable data to a controllable address inside SMRAM:

Length = ControlledPtrFromSaveState->Length;
ControlledPtrFromSaveState = (ControlledPtrFromSaveState + 8);
// SMRAM write and limited SMRAM read,
// SetupXtuBufferAddress and ControlledPtrFromSaveState are not validated
*(ControlledPtrFromVariable + 2 * Res + 0xC) = Length;

Disclosure timeline

This vulnerability is subject to a 90 day disclosure period. After 90 days or when a patch has been made generally available (whichever comes first) the advisory will be publicly disclosed.

Disclosure Activity Date
CERT/CC is notified 2025-04-15
Gigabyte confirmed issue 2025-06-12
CERT/CC assigned CVE number 2025-07-02
BINARLY public disclosure date 2025-07-10

Acknowledgements

BINARLY REsearch team

Tags
AMI
Firmware
UEFI

Related Advisories

No items found.
FWHunt
See if you are impacted now with our Firmware Vulnerability Scanner
Scan now
Arrow indicating link