ByteOS

Product

ThinkPad BIOS

Default Status

unaffected

Versions

Affected

various

Problem Types

Type	CWE ID	Description
CWE	CWE-1419	CWE-1419: Incorrect Initialization of Resource

Type: CWE

CWE ID: CWE-1419

Description: CWE-1419: Incorrect Initialization of Resource

Metrics

Version	Base score	Base severity	Vector
3.1	6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Version: 3.1

Base score: 6.7

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Solutions

Update system firmware to the version (or newer) indicated for your model in the advisory: https://support.lenovo.com/us/en/product_security/LEN-141775

Credits

finder

Lenovo thanks Krzysztof Okupski, Enrique Nissim, Joseph Tartaro of IOActive for reporting this vulnerability.

References

Hyperlink	Resource
https://support.lenovo.com/us/en/product_security/LEN-141775	N/A

Hyperlink: https://support.lenovo.com/us/en/product_security/LEN-141775

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://support.lenovo.com/us/en/product_security/LEN-141775	x_transferred

Hyperlink: https://support.lenovo.com/us/en/product_security/LEN-141775

Resource:

x_transferred

2. CISA ADP Vulnrichment

Affected Products

Vendor

Product

thinkpad

CPEs

cpe:2.3:h:lenovo:thinkpad:-:*:*:*:*:*:*:*

Default Status

unknown

Versions

Affected

various

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:psirt@lenovo.com

Published At:08 Nov, 2023 | 22:15

Updated At:16 Sep, 2024 | 15:15

A vulnerability was reported in some ThinkPad BIOS that could allow a physical or local attacker with elevated privileges to tamper with BIOS firmware.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Secondary	3.1	6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Type: Primary

Version: 3.1

Base score: 6.7

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 6.7

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CPE Matches

cpe:2.3:h:lenovo:thinkpad_x13_gen_3:-:*:*:*:*:*:*:*

>>thinkpad_x13_gen_3>>-

cpe:2.3:o:lenovo:thinkpad_x13_gen_3_firmware:-:*:*:*:*:*:*:*

>>thinkpad_x13_gen_3_firmware>>-

cpe:2.3:h:lenovo:thinkpad_s2_yoga_gen_7:-:*:*:*:*:*:*:*

>>thinkpad_s2_yoga_gen_7>>-

cpe:2.3:o:lenovo:thinkpad_s2_yoga_gen_7_firmware:*:*:*:*:*:*:*:*

>>thinkpad_s2_yoga_gen_7_firmware>>Versions before 1.19(exclusive)

cpe:2.3:h:lenovo:thinkpad_s2_yoga_gen_6:-:*:*:*:*:*:*:*

>>thinkpad_s2_yoga_gen_6>>-

cpe:2.3:o:lenovo:thinkpad_s2_yoga_gen_6_firmware:-:*:*:*:*:*:*:*

>>thinkpad_s2_yoga_gen_6_firmware>>-

cpe:2.3:h:lenovo:thinkpad_s2_gen_8:-:*:*:*:*:*:*:*

>>thinkpad_s2_gen_8>>-

cpe:2.3:o:lenovo:thinkpad_s2_gen_8_firmware:-:*:*:*:*:*:*:*

>>thinkpad_s2_gen_8_firmware>>-

cpe:2.3:h:lenovo:thinkpad_p14s_gen_3:-:*:*:*:*:*:*:*

>>thinkpad_p14s_gen_3>>-

cpe:2.3:o:lenovo:thinkpad_p14s_gen_3_firmware:-:*:*:*:*:*:*:*

>>thinkpad_p14s_gen_3_firmware>>-

cpe:2.3:h:lenovo:thinkpad_p16s_gen_1:-:*:*:*:*:*:*:*

>>thinkpad_p16s_gen_1>>-

cpe:2.3:o:lenovo:thinkpad_p16s_gen_1_firmware:-:*:*:*:*:*:*:*

>>thinkpad_p16s_gen_1_firmware>>-

cpe:2.3:o:lenovo:thinkpad_t14_gen_3_firmware:-:*:*:*:*:*:*:*

>>thinkpad_t14_gen_3_firmware>>-

cpe:2.3:h:lenovo:thinkpad_t14_gen_3:-:*:*:*:*:*:*:*

>>thinkpad_t14_gen_3>>-

cpe:2.3:o:lenovo:thinkpad_t14s_gen_3_firmware:-:*:*:*:*:*:*:*

>>thinkpad_t14s_gen_3_firmware>>-

cpe:2.3:h:lenovo:thinkpad_t14s_gen_3:-:*:*:*:*:*:*:*

>>thinkpad_t14s_gen_3>>-

cpe:2.3:o:lenovo:thinkpad_t16_gen_1_firmware:-:*:*:*:*:*:*:*

>>thinkpad_t16_gen_1_firmware>>-

cpe:2.3:h:lenovo:thinkpad_t16_gen_1:-:*:*:*:*:*:*:*

>>thinkpad_t16_gen_1>>-

cpe:2.3:o:lenovo:thinkpad_l14_gen_3_firmware:*:*:*:*:*:*:*:*

>>thinkpad_l14_gen_3_firmware>>Versions before 1.23(exclusive)

cpe:2.3:h:lenovo:thinkpad_l14_gen_3:-:*:*:*:*:*:*:*

>>thinkpad_l14_gen_3>>-

cpe:2.3:o:lenovo:thinkpad_l14_gen_4_firmware:*:*:*:*:*:*:*:*

>>thinkpad_l14_gen_4_firmware>>Versions before 1.1(exclusive)

cpe:2.3:h:lenovo:thinkpad_l14_gen_4:-:*:*:*:*:*:*:*

>>thinkpad_l14_gen_4>>-

cpe:2.3:o:lenovo:thinkpad_l15_gen_3_firmware:*:*:*:*:*:*:*:*

>>thinkpad_l15_gen_3_firmware>>Versions before 1.23(exclusive)

cpe:2.3:h:lenovo:thinkpad_l15_gen_3:-:*:*:*:*:*:*:*

>>thinkpad_l15_gen_3>>-

cpe:2.3:o:lenovo:thinkpad_l15_gen_4_firmware:*:*:*:*:*:*:*:*

>>thinkpad_l15_gen_4_firmware>>Versions before 1.1(exclusive)

cpe:2.3:h:lenovo:thinkpad_l15_gen_4:-:*:*:*:*:*:*:*

>>thinkpad_l15_gen_4>>-

cpe:2.3:o:lenovo:thinkpad_l13_yoga_gen_4_firmware:-:*:*:*:*:*:*:*

>>thinkpad_l13_yoga_gen_4_firmware>>-

cpe:2.3:h:lenovo:thinkpad_l13_yoga_gen_4:-:*:*:*:*:*:*:*

>>thinkpad_l13_yoga_gen_4>>-

cpe:2.3:o:lenovo:thinkpad_l13_yoga_gen_3_firmware:*:*:*:*:*:*:*:*

>>thinkpad_l13_yoga_gen_3_firmware>>Versions before 1.19(exclusive)

cpe:2.3:h:lenovo:thinkpad_l13_yoga_gen_3:-:*:*:*:*:*:*:*

>>thinkpad_l13_yoga_gen_3>>-

cpe:2.3:o:lenovo:thinkpad_l13_yoga_gen_2_firmware:-:*:*:*:*:*:*:*

>>thinkpad_l13_yoga_gen_2_firmware>>-

cpe:2.3:h:lenovo:thinkpad_l13_yoga_gen_2:-:*:*:*:*:*:*:*

>>thinkpad_l13_yoga_gen_2>>-

cpe:2.3:o:lenovo:thinkpad_l13_gen_4_firmware:-:*:*:*:*:*:*:*

>>thinkpad_l13_gen_4_firmware>>-

cpe:2.3:h:lenovo:thinkpad_l13_gen_4:-:*:*:*:*:*:*:*

>>thinkpad_l13_gen_4>>-

cpe:2.3:o:lenovo:thinkpad_l13_gen_3_firmware:*:*:*:*:*:*:*:*

>>thinkpad_l13_gen_3_firmware>>Versions before 1.19(exclusive)

cpe:2.3:h:lenovo:thinkpad_l13_gen_3:-:*:*:*:*:*:*:*

>>thinkpad_l13_gen_3>>-

cpe:2.3:o:lenovo:thinkpad_l13_gen_2_firmware:-:*:*:*:*:*:*:*

>>thinkpad_l13_gen_2_firmware>>-

cpe:2.3:h:lenovo:thinkpad_l13_gen_2:-:*:*:*:*:*:*:*

>>thinkpad_l13_gen_2>>-

cpe:2.3:o:lenovo:thinkpad_s2_yoga_gen_8_firmware:-:*:*:*:*:*:*:*

>>thinkpad_s2_yoga_gen_8_firmware>>-

cpe:2.3:h:lenovo:thinkpad_s2_yoga_gen_8:-:*:*:*:*:*:*:*

>>thinkpad_s2_yoga_gen_8>>-

References

Hyperlink	Source	Resource
https://support.lenovo.com/us/en/product_security/LEN-141775	psirt@lenovo.com	Vendor Advisory

Hyperlink: https://support.lenovo.com/us/en/product_security/LEN-141775

Source: psirt@lenovo.com

Resource:

Vendor Advisory

Similar CVEs

69Records found

CVE-2021-4212

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.11% / 30.00%

7 Day CHG~0.00%

Published-22 Apr, 2022 | 20:30

Updated-03 Aug, 2024 | 17:16

A potential vulnerability in the SMI callback function used in the Legacy BIOS mode driver in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.

Product-ideapad_5_pro-16ihu6_firmware ideapad_gaming_3-15imh05_firmware l340-17irh_firmware ideapad_5-14alc05 ideapad_5-14alc05_firmware l340-15iwl_touch_firmware ideapad_5_pro-16ihu6 ideapad_gaming_3-15ach6 legion_y545_firmware slim_7-14itl05 yoga_creator_7-15imh05 e41-50_firmware yoga_6-13alc6_firmware l340-15iwl_firmware flex-14iml legion_y545 ideapad_5-15itl05_firmware yoga_slim_7-15imh05 yoga_slim_7-15iil05 ideapad_3-14are05 s540-14iml slim_7-14itl05_firmware l340-17iwl yoga_creator_7-15imh05_firmware legion_y540-15irh-pg0_firmware ideapad_5-15itl05 s340-14iml legion_y7000-2019-pg0 ideapad_gaming_3-15imh05 slim_7-14are05 ideapad_3-17are05_firmware thinkbook_plus_g2_itg ideapad_3-15are05 s340-13iml ideapad_5_pro-14acn6 yoga_slim_7-15imh05_firmware ideapad_5-14are05 legion_y540-15irh-pg0 ideapad_creator_5-15imh05 s340-15api s340-15iml ideapad_5_pro-14acn6_firmware yoga_slim_7-14itl05_firmware yoga_slim_7-15itl05 v140-15iwl_firmware s540-14iml_firmware ideapad_gaming_3-15arh05_firmware s540-14iml_touch slim_7-14are05_firmware legion_y540-17irh-pg0_firmware ideapad_3-15are05_firmware yoga_slim_7-14are05 slim_7-15imh05 d330-10igm_firmware l340-15iwl ideapad_5_pro-14itl6_firmware s340-14api_firmware s340-14api legion_y540-17irh l340-15irh s340-15iml_firmware legion_y7000-2019-pg0_firmware slim_7-15itl05_firmware legion_y545-pg0_firmware v340-17iwl s340-14iml_firmware legion_y7000-2019_firmware ideapad_gaming_3-15ach6_firmware yoga_slim_7-14iil05 yoga_slim_7_carbon_13itl5 legion_y540-17irh_firmware slim_7-15iil05 yoga_6-13alc6 ideapad_3-17are05 yoga_slim_7-14iil05_firmware l340-17iwl_firmware yoga_slim_7_carbon_13itl5_firmware c340-15iml ideapad_5_pro-14itl6 d330-10igm legion_y540-17irh-pg0 flex-15iml_firmware thinkbook_13x_itg duet_3-10igl5 thinkbook_13x_itg_firmware s340-13iml_firmware v14-are yoga_slim_7-15iil05_firmware s340-15api_touch yoga_slim_7-14are05_firmware flex-15iml l340-15iwl_touch thinkbook_plus_g2_itg_firmware v14-are_firmware v340-17iwl_firmware s540-14iml_touch_firmware ideapad_creator_5-15imh05_firmware c340-15iml_firmware slim_7-15itl05 ideapad_gaming_3-15arh05 slim_7-15imh05_firmware flex-14iml_firmware s340-15api_firmware duet_3-10igl5_firmware legion_y540-15irh_firmware s340-15api_touch_firmware slim_7-15iil05_firmware legion_y7000-2019 c340-14iml s540-15iml_firmware thinkbook_14_g3_itl_firmware yoga_slim_7-15itl05_firmware legion_y540-15irh e41-50 yoga_slim_7-14itl05 ideapad_3-14are05_firmware c340-14iml_firmware s540-15iml ideapad_5-14are05_firmware v140-15iwl l340-15irh_firmware legion_y545-pg0 l340-17irh thinkbook_14_g3_itl BIOS

CWE ID-CWE-20

Improper Input Validation

CVE-2023-34419

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.04% / 9.72%

7 Day CHG~0.00%

Published-17 Aug, 2023 | 16:49

Updated-02 Aug, 2024 | 16:10

A buffer overflow has been identified in the SetupUtility driver in some Lenovo Notebook products which may allow an attacker with local access and elevated privileges to execute arbitrary code.

Product-legion_pro_7_16irx8h legion_7-16ithg6 legion_5_15arh7_firmware legion_pro_7_16irx8h_firmware legion_5-17ach6h legion_5-15ith6h legion_5_pro_16arh7 legion_5-15ach6 legion_5-15ach6a_firmware legion_7-16ithg6_firmware legion_5-15ach6h_firmware legion_5_pro_16arh7h legion_5_pro_16arh7h_firmware legion_5-15ith6_firmware legion_5-17ith6 legion_s7_16arha7 legion_5_pro-16ach6h legion_5-17ach6 legion_5-15ith6h_firmware legion_5-17ach6_firmware legion_7-16arha7 thinkbook_15p_g2_ith_firmware legion_5_pro_16iah7h_firmware legion_5_pro-16ith6 legion_5_15iah7h legion_5-17ith6h legion_5_pro-16ith6h_firmware legion_5-17ith6h_firmware legion_5_pro_16iah7 legion_5_15arh7h_firmware legion_pro_7_16irx8_firmware legion_pro_7_16irx8 legion_pro_5_16irx8_firmware thinkbook_16p_g3_arh legion_5_15iah7h_firmware legion_5-15ach6a legion_5-17ith6_firmware legion_5_pro-16ach6 legion_5_15iah7_firmware legion_5_15iah7 legion_5_pro_16arh7_firmware legion_5-15ith6 legion_pro_5_16irx8 thinkbook_16p_g3_arh_firmware thinkbook_15p_g2_ith legion_5_15arh7 legion_5_pro-16ith6h legion_5_pro-16ach6h_firmware legion_5-15ach6_firmware legion_s7_16arha7_firmware legion_5-17ach6h_firmware legion_5_pro_16iah7_firmware legion_5_pro_16iah7h legion_5_pro-16ach6_firmware legion_7-16arha7_firmware legion_7-16achg6_firmware legion_5-15ach6h legion_5_pro-16ith6_firmware legion_5_15arh7h legion_7-16achg6 Lenovo Notebook

CWE ID-CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CVE-2022-1892

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.04% / 9.58%

7 Day CHG~0.00%

Published-23 Jan, 2023 | 15:31

Updated-02 Apr, 2025 | 14:37

A buffer overflow in the SystemBootManagerDxe driver in some Lenovo Notebook products may allow an attacker with local privileges to execute arbitrary code.

CWE ID-CWE-122

Heap-based Buffer Overflow

CWE ID-CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CVE-2022-1108

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.08% / 25.38%

7 Day CHG~0.00%

Published-22 Apr, 2022 | 20:30

Updated-02 Aug, 2024 | 23:55

A potential vulnerability due to improper buffer validation in the SMI handler LenovoFlashDeviceInterface in Thinkpad X1 Fold Gen 1 could be exploited by an attacker with local access and elevated privileges to execute arbitrary code.

Product-thinkpad_x1_fold_gen_1 thinkpad_x1_fold_gen_1_firmware ThinkPad BIOS

CWE ID-CWE-20

Improper Input Validation

CWE ID-CWE-269

Improper Privilege Management

CVE-2021-4210

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.11% / 30.03%

7 Day CHG~0.00%

Published-22 Apr, 2022 | 20:30

Updated-03 Aug, 2024 | 17:16

A potential vulnerability in the SMI callback function used in the NVME driver in some Lenovo Desktop, ThinkStation, and ThinkEdge models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CWE ID-CWE-20

Improper Input Validation

CVE-2021-4211

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.04% / 10.85%

7 Day CHG~0.00%

Published-22 Apr, 2022 | 20:30

Updated-03 Aug, 2024 | 17:16

A potential vulnerability in the SMI callback function used in the SMBIOS event log driver in some Lenovo Desktop, ThinkStation, and ThinkEdge models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CWE ID-CWE-20

Improper Input Validation

CVE-2021-3970

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.44% / 62.29%

7 Day CHG~0.00%

Published-22 Apr, 2022 | 20:30

Updated-03 Aug, 2024 | 17:09

A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models BIOS may allow an attacker with local access and elevated privileges to execute arbitrary code.

CWE ID-CWE-20

Improper Input Validation

CVE-2023-25493

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.02% / 2.61%

7 Day CHG~0.00%

Published-05 Apr, 2024 | 20:46

Updated-16 Sep, 2024 | 15:15

A potential vulnerability was reported in the BIOS update tool driver for some Desktop, Smart Edge, Smart Office, and ThinkStation products that could allow a local user with elevated privileges to execute arbitrary code.

Product-BIOS bios

CWE ID-CWE-306

Missing Authentication for Critical Function

CVE-2021-3719

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.04% / 9.81%

7 Day CHG~0.00%

Published-12 Nov, 2021 | 22:05

Updated-03 Aug, 2024 | 17:01

A potential vulnerability in the SMI callback function that saves and restore boot script tables used for resuming from sleep state in some ThinkCentre and ThinkStation models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CWE ID-CWE-20

Improper Input Validation

CVE-2021-3599

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.04% / 9.81%

7 Day CHG~0.00%

Published-12 Nov, 2021 | 22:05

Updated-03 Aug, 2024 | 17:01

A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CWE ID-CWE-20

Improper Input Validation

CVE-2021-3452

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.13% / 32.55%

7 Day CHG~0.00%

Published-16 Jul, 2021 | 20:30

Updated-03 Aug, 2024 | 16:53

A potential vulnerability in the system shutdown SMI callback function in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.

CWE ID-CWE-20

Improper Input Validation

CVE-2024-3100

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.04% / 10.13%

7 Day CHG~0.00%

Published-13 Sep, 2024 | 17:26

Updated-17 Sep, 2024 | 14:38

A potential buffer overflow vulnerability was reported in some Lenovo Notebook products that could allow a local attacker with elevated privileges to execute arbitrary code.

CWE ID-CWE-121

Stack-based Buffer Overflow

CVE-2022-4435

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.05% / 14.42%

7 Day CHG~0.00%

Published-05 Jan, 2023 | 17:33

Updated-10 Apr, 2025 | 14:07

A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS LenovoRemoteConfigUpdateDxe driver that could allow a local attacker with elevated privileges to cause information disclosure.

Product-thinkpad_x13s_firmware thinkpad_x13s ThinkPad X13s

CWE ID-CWE-126

Buffer Over-read

CWE ID-CWE-125

Out-of-bounds Read

CVE-2022-4433

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.05% / 14.42%

7 Day CHG~0.00%

Published-05 Jan, 2023 | 17:32

Updated-10 Apr, 2025 | 14:08

A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS LenovoSetupConfigDxe driver that could allow a local attacker with elevated privileges to cause information disclosure.

Product-thinkpad_x13s_firmware thinkpad_x13s ThinkPad X13s

CWE ID-CWE-126

Buffer Over-read

CWE ID-CWE-125

Out-of-bounds Read

CVE-2022-3744

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.03% / 5.17%

7 Day CHG~0.00%

Published-23 Aug, 2023 | 19:43

Updated-03 Aug, 2024 | 01:20

A potential vulnerability was discovered in LCFC BIOS for some Lenovo consumer notebook models that could allow a local attacker with elevated privileges to unlock UEFI variables due to a hard-coded SMI handler credential.

CWE ID-CWE-798

Use of Hard-coded Credentials

CVE-2022-3746

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.03% / 5.17%

7 Day CHG~0.00%

Published-23 Aug, 2023 | 19:43

Updated-03 Aug, 2024 | 01:20

A potential vulnerability was discovered in LCFC BIOS for some Lenovo consumer notebook models that could allow a local attacker with elevated privileges to cause some peripherals to work abnormally due to an exposed Embedded Controller (EC) interface.

CWE ID-CWE-284

Improper Access Control

CVE-2020-8322

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.4||MEDIUM

EPSS-0.05% / 15.15%

7 Day CHG~0.00%

Published-09 Jun, 2020 | 19:50

Updated-16 Sep, 2024 | 20:52

A potential vulnerability in the SMI callback function used in the Legacy USB driver in some Lenovo Notebook and ThinkStation models may allow arbitrary code execution.

Product-thinkbook_13s-iwl_firmware v130-15igm_firmware v110-15ast v340-iml_firmware xx-14api_qc_2019_firmware v730-13ikb 340c-15api 720s-15ikb_firmware 14iwl_firmware s145-15api_firmware 330-15ast miix_720-12ikb_firmware wei5-15ikb s940-14iwl 720s_touch-15ikb_firmware v110-14ast v110-14ast_firmware 6_pro-14-iwl v130-15ikb 14iwl e53-80_firmware yoga_s730-13iwl_firmware v340-iil v310-15igm_firmware s145-14ast_firmware 330-17ast_firmware e52-80 xiaoxin_14-ast_qc_2019 e42-80 330-14ast v330-15igm_firmware e42-80_firmware v330-15ikb v110-15ast_firmware thinkbook_14s-iwl c640-iml_firmware v730-13isk v540s-13 e53-80 thinkbook_13s-iwl 330-14ast_firmware v540s-13_firmware s145-14api_firmware 6_pro-14-iwl_firmware 730s-13iwl_firmware v340-iml k3_firmware s540-13api_firmware v310-15igm k3 v130-15ikb_firmware s145-15ast_firmware 730s-13iwl s145-14ast 340c-15ast_firmware k32-80_skl c640-iml v330-15isk_firmware v730-13isk_firmware yoga_s940-14iwl_firmware k32-80_kbl_firmware k4-iwl 6_pro-13-iwl xx-14api_qc_2019 s145-14api s145-15ast 6_pro-13-iwl_firmware v730-15ikb miix_720-12ikb 330-15ast_firmware 720s_touch-15ikb v720-12_firmware v730-13ikb_firmware k32-80_skl_firmware v110-14ikb_firmware 340c-15api_firmware s145-15api k22-80 v110-14ikb v340-iil_firmware k22-80_firmware thinkbook_14s-iwl_firmware k4-iwl_firmware v330-15isk s540-13api 330-17ast v330-15igm wei5-15ikb_firmware 340c-15ast xiaoxin_14-ast_qc_2019_firmware yoga_s940-14iwl s750-iil s940-14iwl_firmware s750-iil_firmware 720s-15ikb v730-15ikb_firmware v720-12 v330-15ikb_firmware k32-80_kbl v130-15igm yoga_s730-13iwl e52-80_firmware BIOS

CVE-2024-4550

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.01% / 1.68%

7 Day CHG~0.00%

Published-13 Sep, 2024 | 17:26

Updated-16 Sep, 2024 | 17:59

A potential buffer overflow vulnerability was reported in some Lenovo ThinkSystem and ThinkStation products that could allow a local attacker with elevated privileges to execute arbitrary code.

Product-P360 Workstation (ThinkStation) BIOS ST58 V2 (ThinkSystem) BIOS ST50 (ThinkSystem) BIOS ST58 (ThinkSystem) BIOS ST50 V2 (ThinkSystem) BIOS thinksystem_st50_v2_firmware thinkstation_p360_workstation_firmware thinksystem_st58_v2_firmware thinksystem_st58_firmware thinksystem_st50_firmware

CWE ID-CWE-121

Stack-based Buffer Overflow

CVE-2024-45105

Matching Score-8

Assigner-Lenovo Group Ltd.

Matching Score-8

Assigner-Lenovo Group Ltd.

CVSS Score-6.7||MEDIUM

EPSS-0.03% / 8.28%

7 Day CHG~0.00%

Published-13 Sep, 2024 | 17:29

Updated-16 Sep, 2024 | 17:38

An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code.