CVE-2021-4210

moderate-risk

Published 2022-04-22

A potential vulnerability in the SMI callback function used in the NVME driver in some Lenovo Desktop, ThinkStation, and ThinkEdge models may allow an attacker with local access and elevated privileges to execute arbitrary code.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.7/10 Medium

LOCAL / LOW complexity

Affected Products (20)

Stadia Ggp-120 Firmware

Thinkedge Se30 Firmware

V540-24Iwl Firmware

Thinkstation P520 Firmware

Thinkstation P310 Firmware

V50T-13Imb Firmware

Thinkstation P520C Firmware

A540-27Icb Firmware

A540-24Icb Firmware

Ideacentre G5-14Imb05 Firmware

V410Z Firmware

Thinkcentre M910Z Firmware

Thinkcentre M70A Firmware

Thinkcentre M75N Firmware

Thinkcentre X1 Firmware

Thinkcentre M900 Firmware

Thinkcentre M810Z Firmware

Thinkcentre M90A Gen2 Firmware

Thinkcentre M820Z Firmware

Ideacentre Aio 3-27Itl6 Firmware

Affected Vendors

Lenovo

References (2)

Patch https://support.lenovo.com/us/en/product_security/LEN-77639

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 23/34 · High