SMM memory corruption vulnerability in SMM module on Gigabyte device (SMRAM write)

Vulnerability Information

BINARLY internal vulnerability identifier: BRLY-2025-009
CERT/CC assigned CVE identifier: CVE-2025-7027
CVSS v3.1: 8.2 High AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected firmware with confirmed impact by BINARLY team

Device	Version	OEM	IBV	Name	Kind
GA-H110M-S2HP	F22f (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 GAMING X	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M S2H V2	F13 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M S2H	F17 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2V	F26a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2H	F26g (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2H V2 (rev. 1.9/2.1)	FA (2024-07-03)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M H V2 (rev. 1.9)	FA (2024-07-09)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-DS3H DDR3	F21f (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2V DDR3	F21e (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2 DDR3	F20g (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M DS2	F15 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
G1.Sniper M7	F20h (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150-HD3P	F24h (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-DS2 DDR3	F20g (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 AORUS PRO WIFI	F13 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 AORUS PRO	F13 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 AORUS MASTER	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H310TN-CM	F17 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M D3H	F5 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 AORUS XTREME WATERFORCE	F8 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360M D2V	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360M H	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360M GAMING HD	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-D3H	F22f (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-D3H R2 TPM	F22e (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-D3H R2	F24a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360 AORUS GAMING 3	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360 AORUS GAMING 3 WIFI	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150-HD3 DDR3	F20h (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M S2H	F18 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M DS2V	F17 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M S2H	FQ (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 GAMING X AX	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 GAMING X	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 AORUS MASTER WATERFORCE	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460M H	F5 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460M GAMING HD	F7 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110-D3A	F26a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560 HD3	F17 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460M DS3H AC	F7 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460M AORUS PRO	F8 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M S2	F16 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M H V2	F4 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M DS2V	F16 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M H	F19 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490I AORUS ULTRA	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-Gaming	F20h (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360 HD3P	F16 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-DS2 (rev. 1.0/1.1/1.2)	F28b (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H470M K	F8 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M K	FC (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M K V2	F3 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M S2H V3	F3 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M H V2	FC (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2 V2	FC (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M H V2	F3 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M S2 V2	F3 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H470M H	F5 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 AORUS MASTER	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-DS2V DDR3	F22a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-DS3H	F22h (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 AORUS XTREME	F10 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2H V3	F9 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M DS2V V3	F9 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2 V3	F9 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M H V3	F9 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-DS2	FCa (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-D2V	F22f (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 VISION D	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
C621 AORUS XTREME	F4b (2024-08-22)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110TN-E	F23f (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360M DS3H	F19 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2H V2	F6 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M DS2V V2	F5 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2 V2	F5 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M H V2	F5 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M K	F6 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 AORUS ELITE AX	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 AORUS ELITE	F8 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460M DS3H V2	F26 (2024-02-27)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150N-GSM	F24b (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490M GAMING X	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490M	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-D3V DDR3	F20h (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460M D2V	F8 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 GAMING X	F11 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H470M DS3H	F25 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 AORUS XTREME WATERFORCE 5G	F5 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2PV	F26a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2PT	F25a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2H DDR3	F21a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M DS2V	FF (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M S2	FF (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M H	FF (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
C246-WU4	F8 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 AORUS PRO AX	F11 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 AORUS XTREME WATERFORCE	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M K (rev. 1.2)	F2 (2024-11-05)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 AORUS ULTRA	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 AORUS ULTRA G2	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 AORUS XTREME	F14 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M DS3H	F11 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M DS3H V2	F11 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M DS3H PLUS	F9 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 AORUS ELITE	F24 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 AORUS ELITE AC	F24 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110MSTX-HD3-ZK	F26a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2H V2	F5 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M H V2 (rev. 2.0)	F5 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2 V2	F5 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-D3H	F25d (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M S2H V2	FF (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590M GAMING X	F9 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110TN-M	F23f (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110TN-CM	F26a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 VISION G	F9 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 I AORUS PRO WIFI	F9 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M DS3H AC	F14 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 UD V2	F3 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360M D3V	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M HD3P	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
C246N-WU2	F4 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150-HD3	F23f (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-A	F25a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-H (rev. 1.0/1.1/1.2)	F28a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-M.2	F25a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M H	F13 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M GAMING HD	F14 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M POWER	F14 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M D2V	F14 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
W480 VISION W	F24 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H370 AORUS GAMING 3 WIFI	F15 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H370 AORUS GAMING 3	F15 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360 HD3	F17 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2 V3	FF (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M DS2V V3	FF (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M H V3	FF (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2H V3	FF (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
W480 VISION D	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M S2V	F16 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M S2	F18 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-D3H DDR3	F21a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M AORUS PRO AX	F14 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M AORUS PRO	F11 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H370M D3H	F15 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H370M D3H GSM	F15 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H370M DS3H	F15 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H310TN-R2	F4 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-D3V	F22f (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-D2V DDR3	F20g (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-Gaming 3	F26a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-X150M-PRO ECC	F22i (2024-08-14)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460M D3H	F7 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2	F27b (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Q370M D3H GSM PLUS	F16 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110N	F25a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 VISION G	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360N WIFI	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-WW	F25a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M M.2 2.0	FB (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
G1.Sniper B7	F22g (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 D	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 AORUS ELITE	F11 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460M AORUS ELITE	F7 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M A	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M HD3P	FB (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H470I AORUS PRO AX	F25 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 AORUS TACHYON	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M AORUS ELITE	F12 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
W480M VISION W	F24 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 AORUS XTREME WATERFORCE	F9 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310 D3	F19 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 UD AC	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 UD	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M H	F20 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H370N WIFI	F16 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 AORUS PRO AX	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360N AORUS GAMING WIFI	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M HD2	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 D	F4 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-H DDR3	F25a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110-D3	F25a (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2PV DDR3	F20g (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360 M AORUS PRO	F6 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2PH DDR3	F20g (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M A	F16 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M K	F6 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460M DS3H	F7 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M H	F8 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2	F9 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 UD	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 UD AC	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2H V2	FH (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M DS2V V2	FF (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M H V2	FH (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2 V2	FH (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150N Phoenix-WIFI	F22f (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150N Phoenix	F20h (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 AORUS ULTRA	F9 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460M POWER	F7 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560I AORUS PRO AX	F13 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H510M S2P	F14 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560M D3H	F12 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590I VISION D	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H470 AORUS PRO AX	F25 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-X170-EXTREME ECC	F21h (2024-08-01)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H310MSTX-HD3	F7 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460 AORUS PRO AC	F9 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M S2H	F8 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M DS2V	F6 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-DS2V	F25b (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 UD	F11 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B560 AORUS PRO AX	F13 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
C246M-WU4	F7 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B560M-D3P	F11 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 M GAMING	F10 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H410M HD3P	F8 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590I AORUS ULTRA	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 AORUS MASTER	F12 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310N	F18 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360M HD3	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360M D3P	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 AORUS ULTRA	F11 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H470 HD3	F25 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z490 AORUS XTREME	F23 (2023-12-20)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M DS2	F21 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H310M S2P	F23 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-DS3P	F22f (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590M	F9 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-HD3	F22g (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B460 HD3	F6 (2024-01-04)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Q570M D3H	F11 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-H110M-S2PH	F28b (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
H370 HD3	F16 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z590 VISION D	F10 (2023-12-19)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
B360M D3H	F16 (2024-01-10)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 DESIGNARE	F10 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 M	F7 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
GA-B150M-HD3 DDR3	F20i (2024-07-31)	Gigabyte	AMI	GenericComponentSmmEntry	SMM
Z390 GAMING SLI	F11 (2024-01-11)	Gigabyte	AMI	GenericComponentSmmEntry	SMM

Vulnerability description

Let's consider the module 5f42fc844985adaf4dcb21aeced55f40128e33ef454607f910cbedf7e9e08c4a.

The pseudocode of the vulnerable function at 0x179B8 is shown below (SwSmiInputValue: 0xB2):

EFI_STATUS SwSmiHandler(
        EFI_HANDLE DispatchHandle,
        const void *Context,
        EFI_SMM_SW_CONTEXT *CommBuffer,
        UINTN *CommBufferSize)
{
  UINTN SwSmiCpuIndex;
  INT32 Result;
  UINT32 RbxRegister;
  UINT32 RcxRegister;
  UINT32 Value;

  Value = 0;
  if ( CommBuffer && CommBufferSize )
    SwSmiCpuIndex = CommBuffer->SwSmiCpuIndex;
  else
    SwSmiCpuIndex = Value;
  if ( SwSmiCpuIndex != -1 )
  {
    // 1. read buffer address in RbxRegister
    gEfiSmmCpuProtocol->ReadSaveState(
      gEfiSmmCpuProtocol,
      4,
      EFI_SMM_SAVE_STATE_REGISTER_RBX,
      SwSmiCpuIndex,
      &RbxRegister);

    // 2. read command in RcxRegister
    gEfiSmmCpuProtocol->ReadSaveState(
      gEfiSmmCpuProtocol,
      4,
      EFI_SMM_SAVE_STATE_REGISTER_RCX,
      SwSmiCpuIndex,
      &RcxRegister);

    if ( RcxRegister )
    {
      if ( RcxRegister != 1 )
      {
        Value = 0x8004;
_WriteRbx:
        gEfiSmmCpuProtocol->WriteSaveState(
          gEfiSmmCpuProtocol,
          4,
          EFI_SMM_SAVE_STATE_REGISTER_RBX,
          SwSmiCpuIndex,
          &Value);
        return 0;
      }
      // vulnerable function
      Result = CommandRcx1(RbxRegister);
    }
    else
    {
      Result = CommandRcx0(RbxRegister);
    }
    Value = Result;
    if ( (Result - 0x9001) <= 1 )
    {
      gEfiSmmCpuProtocol->WriteSaveState(
        gEfiSmmCpuProtocol,
        4,
        EFI_SMM_SAVE_STATE_REGISTER_RCX,
        SwSmiCpuIndex,
        &Value);
      Value = 0xFFFF;
    }
    goto _WriteRbx;
  }
  return 0;
}

As we can see from the pseudocode, this handler defines the following logic:

read command from EFI_SMM_SAVE_STATE_REGISTER_RCX in RcxRegister variable
read buffer address from EFI_SMM_SAVE_STATE_REGISTER_RBX in RbxRegister variable
execute CommandRcx1 or CommandRcx0 depending on RcxRegister (command) value

The pseudocode of the CommandRcx1 function is shown below:

INT32 CommandRcx1(BIOS_SETTINGS_DATA_HEADER *RbxRegister)
{
  if ( RbxRegister->Signature != '2DB$' )
    return 0x8001;
  GetSetupXtuBufferAddress(&SetupXtuBufferAddress);
  ControlledPtrFromVariable = SetupXtuBufferAddress;
  ControlledPtrFromSaveState = RbxRegister + 1;
  if ( RbxRegister->Count )
  {
    Count = RbxRegister->Count;
    do
    {
      Sig = ControlledPtrFromSaveState->Signature;
      if ( (LOBYTE(ControlledPtrFromSaveState->Signature) - 7) > 7 )
      {
        if ( Sig == 15 )
        {
          Res = 7;
        }
        else if ( (Sig - 0x1A) > 9 )
        {
          Val = ControlledPtrFromSaveState->Signature;
          if ( Sig == 0x19 )
            Val = '#';
          Res = Val;
        }
        else
        {
          Res = Sig - 1;
        }
      }
      else
      {
        Res = Sig + 1;
      }
      Length = ControlledPtrFromSaveState->Length;
      ControlledPtrFromSaveState = (ControlledPtrFromSaveState + 8);
      // SMRAM write and limited SMRAM read,
      // SetupXtuBufferAddress and ControlledPtrFromSaveState are not validated
      *(ControlledPtrFromVariable + 2 * Res + 0xC) = Length;
      --Count;
    }
    while ( Count );
  }
  ...
}

EFI_STATUS GetSetupXtuBufferAddress(UINT64 *SetupXtuBufferAddressOut)
{
  UINT64 SetupXtuBufferAddress;
  UINTN DataSize;

  SetupXtuBufferAddress = 0;
  DataSize = 8;
  gRT->GetVariable(L"SetupXtuBufferAddress", &gVendorGuid, 0, &DataSize, &SetupXtuBufferAddress);
  *SetupXtuBufferAddressOut = SetupXtuBufferAddress;
  return 0;
}

As we can see from the pseudo code:

ControlledPtrFromVariable - address obtained from SetupXtuBufferAddress NVRAM variable value
ControlledPtrFromSaveState - address obtained from attacker controlled RbxRegister value

The following code allows an attacker to write controllable data to a controllable address inside SMRAM:

Length = ControlledPtrFromSaveState->Length;
ControlledPtrFromSaveState = (ControlledPtrFromSaveState + 8);
// SMRAM write and limited SMRAM read,
// SetupXtuBufferAddress and ControlledPtrFromSaveState are not validated
*(ControlledPtrFromVariable + 2 * Res + 0xC) = Length;

Disclosure timeline

This vulnerability is subject to a 90 day disclosure period. After 90 days or when a patch has been made generally available (whichever comes first) the advisory will be publicly disclosed.

Disclosure Activity	Date
CERT/CC is notified	2025-04-15
Gigabyte confirmed issue	2025-06-12
CERT/CC assigned CVE number	2025-07-02
BINARLY public disclosure date	2025-07-10

Acknowledgements

BINARLY REsearch team