Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-40238

CVE-2023-40238: Fujitsu Esprimo Buffer Overflow Flaw

CVE-2023-40238 is a buffer overflow vulnerability in Fujitsu Esprimo D556/2 Firmware affecting InsydeH2O UEFI implementations. This LogoFAIL flaw allows arbitrary memory writes during boot. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2023-40238 Overview

CVE-2023-40238 is a LogoFAIL vulnerability affecting the BmpDecoderDxe module in Insyde InsydeH2O UEFI firmware. The flaw resides in the BMP image parser executed during the Driver Execution Environment (DXE) phase of UEFI boot. A crafted BMP logo file triggers an integer signedness error in the PixelHeight and PixelWidth fields during RLE4/RLE8 decompression. This allows data to be copied to a controlled memory address, corrupting firmware execution state. Affected kernel branches include 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 on certain Lenovo and Fujitsu devices.

Critical Impact

A local attacker with low privileges can replace the BIOS logo image to corrupt memory during firmware boot, leading to high availability impact and potential pre-OS code execution.

Affected Products

  • Insyde InsydeH2O kernel 5.2 prior to 05.28.47, 5.3 prior to 05.37.47, 5.4 prior to 05.45.47, 5.5 prior to 05.53.47, and 5.6 prior to 05.60.47
  • Fujitsu Esprimo, Lifebook, Celsius, Stylistic, Primergy, and Primequest systems shipping affected InsydeH2O firmware
  • Certain Lenovo devices as referenced in the original advisory

Discovery Timeline

  • 2023-12-07 - CVE-2023-40238 published to NVD
  • 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2023-40238

Vulnerability Analysis

The BmpDecoderDxe DXE driver decodes the boot logo image embedded in firmware before handing control to the operating system. When parsing a BMP using RLE4 or RLE8 compression, the decoder uses signed integer types for PixelHeight and PixelWidth from the BMP header. Attacker-controlled negative or large values bypass bounds validation and influence destination pointer arithmetic in the decompression routine. The resulting copy writes BMP pixel data to an address the attacker can steer, corrupting DXE memory regions.

Because the DXE phase executes with full firmware privilege before Secure Boot validates the OS loader, memory corruption here can be leveraged to subvert the integrity of the boot chain. This is the foundation of the LogoFAIL class of attacks documented by Binarly, where boot logo parsing becomes a pre-OS attack surface that bypasses runtime endpoint protection.

Root Cause

The root cause is an integer signedness error during RLE4/RLE8 decoding. The BMP header fields PixelHeight and PixelWidth are interpreted as signed values without normalization, allowing crafted values to defeat size validation and drive an out-of-bounds write. The CWE classification associated with the advisory is [CWE-312], though the exploitation primitive is an arbitrary write driven by malformed image dimensions.

Attack Vector

Exploitation requires local access with sufficient privileges to modify the boot logo stored in the EFI System Partition or in firmware variables. An attacker with administrative access on the running OS replaces the legitimate logo with a malicious BMP. On the next reboot, BmpDecoderDxe parses the file, the signedness error triggers, and pixel data is copied to a chosen address during DXE. Because the boot logo is consumed before the OS loads, the attack persists across reinstallation of the operating system.

No verified public exploit code is available for CVE-2023-40238. See the Binarly LogoFAIL research for the broader technical analysis of image parser exploitation during UEFI boot.

// No verified exploitation code is published for this CVE.
// See the Binarly research linked above for image parser exploitation context.

Detection Methods for CVE-2023-40238

Indicators of Compromise

  • Unexpected modification of boot logo files on the EFI System Partition (ESP), particularly files with .bmp extensions referenced by firmware
  • Firmware variable changes affecting the OEM logo or splash image after a user-mode process executed with administrative rights
  • Unscheduled firmware updates, unexplained reboots, or boot delays following logo file replacement on Insyde-based systems

Detection Strategies

  • Inventory firmware versions across the fleet and flag systems running InsydeH2O kernel 5.2/5.3/5.4/5.5/5.6 below the fixed builds listed in Insyde Security Advisory SA-2023053
  • Monitor write access to the EFI System Partition and to firmware variables that store custom logos; alert on writes performed by processes other than vendor update utilities
  • Use UEFI integrity tools such as chipsec to validate the contents of the firmware volume containing BmpDecoderDxe against the patched vendor build

Monitoring Recommendations

  • Collect and centralize firmware version telemetry from endpoints and servers and correlate against the fixed kernel builds documented by Insyde and Fujitsu
  • Audit privileged process activity that touches \\EFI\\ paths or invokes SetFirmwareEnvironmentVariable style APIs on Windows, or efivar/efivars on Linux
  • Track CERT and vendor advisories (CERT VU#811862, NetApp Security Advisory) for additional affected product disclosures

How to Mitigate CVE-2023-40238

Immediate Actions Required

  • Apply the firmware update from the device OEM that incorporates Insyde InsydeH2O kernel 5.2 at 05.28.47 or later, 5.3 at 05.37.47 or later, 5.4 at 05.45.47 or later, 5.5 at 05.53.47 or later, or 5.6 at 05.60.47 or later
  • Restrict administrative access on endpoints so that local attackers cannot replace boot logos or write to firmware variables
  • Enable measured boot and verify firmware measurements against a known-good baseline using TPM-backed attestation

Patch Information

Insyde published fixes in the kernel branches referenced above. See Insyde Security Advisory SA-2023053 and the Insyde Security Pledge for downstream OEM coordination. Fujitsu and other affected OEMs ship the corrected firmware through their standard BIOS update channels. NetApp documents impact and remediation in NTAP-20240105-0002.

Workarounds

  • Where firmware updates are not yet available, disable custom boot logo features and revert to the vendor-signed default logo to remove the attacker-controlled BMP
  • Enforce full disk encryption with TPM-bound keys so that pre-OS memory corruption cannot trivially expose data at rest
  • Limit local administrative accounts and require just-in-time elevation to reduce the population of users who can stage a malicious logo file
bash
# Verify InsydeH2O kernel version on Linux
sudo dmidecode -s bios-version
sudo dmidecode -t bios

# Identify writes to the EFI System Partition
sudo find /boot/efi -name '*.bmp' -newer /var/log/lastpatch -ls

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne