Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-22850

CVE-2025-22850: Intel UEFI Race Condition Vulnerability

CVE-2025-22850 is a time-of-check time-of-use race condition in Intel UEFI PdaSmm module that may allow information disclosure. This article covers technical details, affected platforms, impact, and mitigation.

Updated:

CVE-2025-22850 Overview

CVE-2025-22850 is a time-of-check time-of-use (TOCTOU) race condition in the UEFI PdaSmm module on certain Intel reference platforms. The flaw resides in System Management Mode (SMM) code that handles sensitive platform data. A privileged local attacker can exploit the race window between validation and use to read confidential memory contents. The weakness is classified as [CWE-367].

Exploitation requires local access, high privileges, and a high-complexity attack technique. No user interaction is required. The impact is limited to confidentiality of the SMM execution context; integrity and availability are not affected.

Critical Impact

A privileged local adversary can disclose sensitive data handled by the UEFI PdaSmm SMM module on affected Intel reference platforms.

Affected Products

  • Intel reference platforms using the UEFI PdaSmm module (specific platform list published in the Intel advisory)
  • Downstream OEM firmware derived from affected Intel reference code
  • Systems where the vulnerable SMM module is included in the platform BIOS image

Discovery Timeline

  • 2026-03-10 - CVE-2025-22850 published to NVD
  • 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2025-22850

Vulnerability Analysis

The vulnerability is a TOCTOU race condition inside the UEFI PdaSmm module, which executes in System Management Mode. SMM is a highly privileged x86 CPU mode that operates below the operating system and hypervisor. Code running in SMM has unrestricted access to system memory, including kernel structures and platform secrets.

The PdaSmm handler validates input parameters or memory pointers passed from non-SMM code, then operates on those same values. Between the validation step and the use step, an attacker controlling another logical processor can modify the referenced data. The SMM handler then acts on attacker-modified state while believing it was already validated.

The end result is information disclosure from the SMM context to lower-privilege code. Memory regions that should be opaque to the operating system can be reflected back through the racy handler.

Root Cause

The root cause is non-atomic handling of shared memory references inside the PdaSmm System Management Interrupt (SMI) handler. The handler dereferences buffers supplied through the SMM communication interface after performing validation, without copying the data into SMRAM or otherwise protecting against concurrent modification by other CPU cores.

Attack Vector

An attacker must already possess high privileges on the local system, typically administrator or root. The attacker triggers the vulnerable SMI from one logical processor while a second thread races to modify the referenced buffer in shared memory. Winning the race exposes confidential data from SMM-controlled regions back to the attacker-controlled process.

The attack vector is local, complexity is high, and the EPSS score is 0.017%, reflecting low observed exploitation likelihood. No public proof-of-concept code is available.

Detection Methods for CVE-2025-22850

Indicators of Compromise

  • No public indicators of compromise have been published for CVE-2025-22850
  • Anomalous SMI invocation rates from non-system processes targeting PdaSmm handlers
  • Unexpected access patterns to physical memory regions adjacent to SMRAM by privileged user-mode tools

Detection Strategies

  • Inventory firmware versions across endpoints and correlate against the fixed BIOS releases listed in the Intel advisory
  • Monitor for installation of kernel drivers or tooling that issue raw SMIs, which is uncommon on production endpoints
  • Audit administrative process creation that loads firmware interaction libraries or RWEverything-style utilities

Monitoring Recommendations

  • Track UEFI firmware versions through endpoint telemetry and flag systems running outdated BIOS
  • Alert on privileged processes accessing \\.\PhysicalMemory or equivalent firmware interfaces
  • Review SMM Transfer Monitor (STM) and SMI throttling logs where supported by the platform

How to Mitigate CVE-2025-22850

Immediate Actions Required

  • Apply the BIOS or UEFI firmware update from the system OEM that incorporates Intel's fix for the PdaSmm module
  • Restrict administrative and root privileges to reduce the population of users able to trigger local SMI exploitation
  • Inventory affected platforms using firmware management tooling and prioritize systems handling sensitive data

Patch Information

Intel has published mitigation guidance in Intel Security Advisory SA-01234. System owners should obtain updated BIOS images from their OEM that incorporate the patched PdaSmm module. Generic Intel reference firmware updates do not automatically propagate to shipped systems; OEM-signed updates are required.

Workarounds

  • No software workaround eliminates the underlying SMM race; firmware update is the authoritative fix
  • Limit local administrative access through least-privilege policies and just-in-time elevation
  • Enable platform protections such as Boot Guard and BIOS write protection to prevent tampering with firmware update channels

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne