CVE-2023-26299

Name: CVE-2023-26299
Creator: NVD / NIST
Published: 2023-06-30T16:15:09.543+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7/10EPSS 0.13%

Last modified Jun 17, 2026

CVE-2023-26299 is a high-severity vulnerability rated 7/10 on the CVSS scale. A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS), which might allow arbitrary code execution. AMI has released updates to mitigate the potential vulnerability.. EPSS estimates a 0.13% chance of exploitation in the next 30 days.

Description

A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS), which might allow arbitrary code execution. AMI has released updates to mitigate the potential vulnerability.

Metrics

CVSS 3.1

7/10

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.13%

2.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-367

Affected Software

Vendor	Product	Versions
Hp	260 G4 Desktop Mini Firmware	< 2.14
Hp	T430 Firmware	< 00.01.11
Hp	T628 Firmware	< 00.01.10
Hp	240 G10 Firmware	< f.04
Hp	245 G6 Firmware	< f.35
Hp	245 G7 Firmware	< f.69
Hp	245 G8 Firmware	< f.25
Hp	247 G8 Firmware	< f.69
Hp	250 G10 Firmware	< f.05
Hp	255 G10 Firmware	< f.08
Hp	349 G7 Firmware	< f.28
Hp	470 G10 Firmware	< f.02
Hp	470 G9 Firmware	< f.05
Hp	Zhan 99 G2 Firmware	< f.24
Hp	Zhan 99 G4 Firmware	< f.08
Hp	Vr Backpack G2 Firmware	< f.28
Hp	200 G3 Firmware	All versions
Hp	200 G4 22 All-In-One Firmware	All versions
Hp	200 Pro G4 22 All-In-One Firmware	All versions
Hp	205 G4 22 All-In-One Firmware	All versions
Hp	205 Pro G4 22 All-In-One Firmware	All versions
Hp	280 G3 Firmware	All versions
Hp	280 G4 Firmware	All versions
Hp	280 G4 Microtower Firmware	All versions
Hp	280 G5 Firmware	All versions
Hp	280 G5 Small Form Factor Firmware	All versions
Hp	280 G6 Firmware	All versions
Hp	280 G8 Microtower Firmware	All versions
Hp	280 Pro G3 Firmware	All versions
Hp	280 Pro G4 Microtower Firmware	All versions
Hp	280 Pro G5 Small Form Factor Firmware	All versions
Hp	282 G5 Firmware	All versions
Hp	282 G6 Firmware	All versions
Hp	282 Pro G4 Microtower Firmware	All versions
Hp	288 G5 Firmware	All versions
Hp	288 G6 Firmware	All versions
Hp	288 Pro G4 Microtower Firmware	All versions
Hp	290 G1 Firmware	All versions
Hp	290 G2 Firmware	All versions
Hp	290 G2 Microtower Firmware	All versions
Hp	290 G3 Firmware	All versions
Hp	290 G3 Small Form Factor Firmware	All versions
Hp	290 G4 Firmware	All versions
Hp	Desktop Pro G1 Microtower Firmware	All versions
Hp	Pro Small Form Factor 280 G9 Desktop Firmware	All versions
Hp	Pro Small Form Factor 290 G9 Desktop Firmware	All versions
Hp	Pro Small Form Factor Zhan 66 G9 Desktop Firmware	All versions
Hp	Pro Tower 200 G9 Desktop Firmware	All versions
Hp	Pro Tower 280 G9 Desktop Firmware	All versions
Hp	Pro Tower 290 G9 Desktop Firmware	All versions

Showing 50 of 59 affected configurations. See NVD for the full list.

References

https://support.hp.com/us-en/document/ish_8642715-8642746-16/hpsbhf03850Patch, Vendor Advisory
https://support.hp.com/us-en/document/ish_8642715-8642746-16/hpsbhf03850Patch, Vendor Advisory

Timeline

Published: Jun 30, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-26299?

How severe is CVE-2023-26299?

CVE-2023-26299 has a CVSS score of 7/10 (HIGH severity). The EPSS model estimates a 0.13% probability of exploitation in the next 30 days.

How do I fix CVE-2023-26299?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-26299?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST