CVE-2022-40136

moderate-risk

Published 2023-01-30

An information leak vulnerability in SMI Handler used to configure platform settings over WMI in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.4/10 Medium

LOCAL / LOW complexity

Affected Products (20)

Ideacentre C5-14Imb05 Firmware

Thinkcentre E96Z Firmware

Ideacentre 3 07Iab7 Firmware

Ideacentre 3-07Imb05 Firmware

Ideacentre 5 14Iab7 Firmware

Ideacentre 5-14Acn6 Firmware

Ideacentre 5-14Imb05 Firmware

Ideacentre 5-14Iob6 Firmware

Ideacentre Creator 5-14Iob6 Firmware

Ideacentre G5-14Imb05 Firmware

Ideacentre Gaming 5 17Acn7 Firmware

Ideacentre Gaming 5 17Iab7 Firmware

Ideacentre Gaming 5-14Acn6 Firmware

Ideacentre Gaming 5-14Iob6 Firmware

Legion C530-19Icb Firmware

Legion T5-26Iob6 Firmware

Legion T5-28Icb05 Firmware

Legion T530-28Apr Firmware

Legion T530-28Icb Firmware

Legion T7-34Imz5 Firmware

Affected Vendors

Lenovo

References (2)

Vendor Advisory https://support.lenovo.com/us/en/product_security/LEN-94953

/ 100

moderate-risk

Severity 15/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 33/34 · Critical