Cyber Resilience

CVE-2022-40261

HighPublic PoC

Published: 20 September 2022

Published
20 September 2022
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0013 32.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40261 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Intel Nuc M15 Laptop Kit Lapbc510 Firmware. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

EU & UK References

Vulnerability details

An attacker can exploit this vulnerability to elevate privileges from ring 0 to ring -2, execute arbitrary code in System Management Mode - an environment more privileged than operating system (OS) and completely isolated from it. Running arbitrary code in…

more

SMM additionally bypasses SMM-based SPI flash protections against modifications, which can help an attacker to install a firmware backdoor/implant into BIOS. Such a malicious firmware code in BIOS could persist across operating system re-installs. Additionally, this vulnerability potentially could be used by malicious actors to bypass security mechanisms provided by UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors). This issue affects: Module name: OverClockSmiHandler SHA256: a204699576e1a48ce915d9d9423380c8e4c197003baf9d17e6504f0265f3039c Module GUID: 4698C2BD-A903-410E-AD1F-5EEF3A1AE422

CWE(s)

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: backdoor

Related Threats

Affected Assets

intel
nuc m15 laptop kit lapbc510 firmware
all versions
intel
nuc m15 laptop kit lapbc710 firmware
all versions
ami
aptio v
5.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References