CVE-2021-3786

moderate-risk
Published 2021-11-12

A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.4/10 Medium
LOCAL / LOW complexity

Affected Products (20)

Thinkpad X380 Yoga Firmware
Thinkpad X1 Fold Gen 1 Firmware
Thinkpad Yoga 260 Firmware
Thinkpad Yoga 11E 3Rd Gen Firmware
Thinkpad Yoga 15 Firmware
Thinkpad Yoga 370 Firmware
Thinkpad X12 Detachable Gen 1 Firmware
Thinkpad X390 Firmware
Thinkpad Yoga 11E 4Th Gen Firmware
Thinkpad Yoga 11E 5Th Gen Firmware
Thinkpad X250 Firmware
Thinkpad X260 Firmware
Thinkpad X390 Yoga Firmware
Thinkpad X280 Firmware
Thinkpad X1 Titanium Firmware
Thinkpad X270 Firmware
Thinkpad X1 Carbon 5Th Gen Kabylake Firmware
Thinkpad X13 Gen 1 Firmware
Thinkpad X13 Gen 2 Firmware
Thinkpad X13 Yoga Gen 1 Firmware

Affected Vendors

Lenovo

References (2)

Patch https://support.lenovo.com/us/en/product_security/LEN-67440
Patch https://support.lenovo.com/us/en/product_security/LEN-67440
47
/ 100
moderate-risk
Severity 15/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 32/34 · Critical