CVE-2021-3971
high-risk
Published 2022-04-22
A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify firmware protection region by modifying an NVRAM variable.
Do I need to act?
-
0.80% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.7/10
Medium
LOCAL
/ LOW complexity
Affected Products (20)
Ideapad 3-14Ada05 Firmware
Ideapad 3-14Ada6 Firmware
Ideapad 3-14Alc6 Firmware
Ideapad 3-14Are05 Firmware
Ideapad 3-15Ada6 Firmware
Ideapad 3-15Alc6 Firmware
Ideapad 3-15Are05 Firmware
Ideapad 3-15Igl05 Firmware
Ideapad 3-17Ada05 Firmware
Ideapad 3-17Ada6 Firmware
Ideapad 3-17Alc6 Firmware
Ideapad 3-17Are05 Firmware
Ideapad 3-17Iil05 Firmware
Ideapad 3-15Ada05 Firmware
L3-15Itl6 Firmware
L340-15Irh Firmware
L340-15Iwl Firmware
L340-15Iwl Touch Firmware
L340-17Irh Firmware
L340-17Iwl Firmware
Affected Vendors
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-73440
Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-73440
52
/ 100
high-risk
Severity
21/34 · High
Exploitability
3/34 · Minimal
Exposure
28/34 · Critical