CVE-2021-3599
high-risk
Published 2021-11-12
A potential vulnerability in the SMI callback function used to access flash device in some ThinkPad models may allow an attacker with local access and elevated privileges to execute arbitrary code.
Do I need to act?
-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.7/10
Medium
LOCAL
/ LOW complexity
Affected Products (20)
Thinkpad X380 Yoga Firmware
Thinkpad X1 Fold Gen 1 Firmware
Thinkpad Yoga 260 Firmware
Thinkpad Yoga 11E 3Rd Gen Firmware
Thinkpad Yoga 15 Firmware
Thinkpad Yoga 370 Firmware
Thinkpad X12 Detachable Gen 1 Firmware
Thinkpad X390 Firmware
Thinkpad Yoga 11E 4Th Gen Firmware
Thinkpad Yoga 11E 5Th Gen Firmware
Thinkpad X250 Firmware
Thinkpad X260 Firmware
Thinkpad X390 Yoga Firmware
Thinkpad X280 Firmware
Thinkpad X1 Titanium Firmware
Thinkpad X270 Firmware
Thinkpad X1 Carbon 5Th Gen Kabylake Firmware
Thinkpad X13 Gen 1 Firmware
Thinkpad X13 Gen 2 Firmware
Thinkpad X13 Yoga Gen 1 Firmware
Affected Vendors
53
/ 100
high-risk
Severity
21/34 · High
Exploitability
0/34 · Minimal
Exposure
32/34 · Critical