CVE-2022-40262

Public Exploit
The arbitrary write vulnerability in S3Resume2Pei leads to arbitrary code execution during PEI phase.

Description

A potential attacker can execute an arbitrary code at the time of the PEI phase and influence the subsequent boot stages. This can lead to the mitigations bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory. This issue affects: Module name: S3Resume2Pei SHA256: 7bb29f05534a8a1e010443213451425098faebd45948a4642db969b19d0253fc Module GUID: 89E549B0-7CFE-449D-9BA3-10D8B2312D71

Categories

8.2
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.01%
Vendor Advisory ami.com
Affected: AMI Aptio
Published at:
Updated at:

References

Link Tags
https://www.ami.com/security-center/ vendor advisory
https://www.binarly.io/advisories/BRLY-2022-009 third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2022-40262?
CVE-2022-40262 has been scored as a high severity vulnerability.
How to fix CVE-2022-40262?
To fix CVE-2022-40262, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-40262 being actively exploited in the wild?
It is possible that CVE-2022-40262 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-40262?
CVE-2022-40262 affects AMI Aptio.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.