CVE-2021-3786

CWE-20 — Improper Input Validation3 documents3 sources

Severity

5.5MEDIUM

EPSS

0.0%

top 86.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

134

Lenovo Thinkpad 10 Firmware Lenovo Thinkpad 11E 3RD GEN Firmware Lenovo Thinkpad 11E 4TH GEN Firmware +131 more

Timeline

PublishedNov 12

Latest updateMay 24

Description

A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 0.8 | Impact: 3.6

Affected Packages134 packages

▶CVEListV5lenovo/notebook_and_thinkpad_biosvarious

▶NVDlenovo/thinkpad_10_firmware< 2021-10-25

▶NVDlenovo/thinkpad_25_firmware< n1qet92w

▶NVDlenovo/thinkpad_p1_firmware< n2eet54w

▶NVDlenovo/thinkpad_e15_firmware< 2021-10-15

Patches

Patch: support.lenovo.com ↗Patch: support.lenovo.com ↗

🔴Vulnerability Details

GHSA

GHSA-mxm2-jrgh-833g: A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak o↗2022-05-24

▶

CVEList

CVE-2021-3786: A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak o↗2021-11-12

▶