DefenseCybersecurity

Black Hat Europe 2025 | Unveiling System Management Mode Memory Corruption Vulnerability Via Fuzzing

Black Hat
Black HatMay 28, 2026

Why It Matters

Because SMM runs at a higher privilege than the OS, memory corruption bugs in SMM can enable persistent, hard‑to‑detect firmware compromise across machines; targeted fuzzing spotlights a critical attack surface for supply‑chain and endpoint security.

Summary

At Black Hat Europe 2025, researcher Wen Chang presented work on uncovering System Management Mode (SMM) memory corruption vulnerabilities using fuzzing techniques. The talk reviewed SMM’s ring–2 (ring −2) privileged execution model, how SMM is entered via SMIs, and how SMM code is integrated and loaded within the UEFI DXE phase and modular firmware layout. Chang explained the UEFI module/init interfaces and firmware volume/file/section structure to motivate targeted fuzzing of SMM modules and handlers. The presentation framed SMM fuzzing as a practical approach to expose high‑privilege firmware flaws that traditional OS‑level testing misses.

Original Description

System Management Mode (SMM) is an operating mode introduced by the x86 processor to handle critical hardware events and chipset errors. SMM applications, designed to run in this mode, operate at a high privilege level (known as Ring -2, which is even higher than the kernel mode, Ring 0). With the high privilege, SMM applications have almost unlimited access to system resources. However, vendors commonly adopt memory-unsafe programming languages, such as C and C++, to develop SMM applications, making them prone to memory corruption vulnerabilities. Once compromised, the attacker may gain complete control over the system. This intrinsic feature makes SMM applications a very attractive target for attackers.
While SMM applications play a crucial role in the foundation of low-level system software, applying efficient and effective fuzzing to them is a very challenging and complex task. In this talk, we present the first systematic SMM application fuzzing framework specifically designed to detect memory corruption vulnerabilities in closed-source SMM applications. We observe that the SMM application, as part of the UEFI firmware, is supposed to run in a UEFI runtime environment. Without such an environment, SMM applications cannot be correctly initialized and executed. As such, we will present all the technical details related to an all-in-one solution for SMM application fuzzing. Our framework offers a fully featured UEFI runtime environment. With such an environment, we ensure that fuzzing does not result in early crashes and a high number of false positives. Additionally, we present the details behind a universal fuzzing harness for successful fuzzing campaigns. The fuzzing harness contains an interface grouping and a memory access interception mechanism to infer the input semantics, such that it can explore the deep logic of SMM applications. Our framework has already proven its impact: in our experiments, we identified a total of 38 new vulnerabilities in firmware from nine well-known vendors. We will share the technical insights behind these discoveries and walk through several real-world case studies that highlight the power and versatility of our approach.
By: Jianqiang Wang | Dr.-Ing., Max Planck Institute for Security and Privacy

Comments

Want to join the conversation?

Loading comments...