CVE-2022-1892 — Heap-based Buffer Overflow in Lenovo 100e 2ND GEN Firmware

CWE-122 — Heap-based Buffer Overflow CWE-120 — Classic Buffer Overflow3 documents3 sources

Severity

7.8HIGHNVD

CNA6.7

EPSS

0.0%

top 86.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo 100e 2ND GEN Firmware Lenovo 100w GEN 3 Firmware Lenovo 13W Yoga Firmware +68 more

Timeline

PublishedJan 26

Description

A buffer overflow in the SystemBootManagerDxe driver in some Lenovo Notebook products may allow an attacker with local privileges to execute arbitrary code.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages71 packages

▶NVDlenovo/v14-ada_firmware< e8cn36ww

▶NVDlenovo/v15-ada_firmware< e8cn36ww

▶NVDlenovo/13w_yoga_firmware< jacn31ww

▶NVDlenovo/14w_gen_2_firmware< h0cn21ww

▶NVDlenovo/100w_gen_3_firmware< gacn38ww

🔴Vulnerability Details

GHSA

GHSA-vw4p-v429-wp9h: A buffer overflow in the SystemBootManagerDxe driver in some Lenovo Notebook products may allow an attacker with local privileges to execute arbitrary↗2023-01-26

▶

CVEList

CVE-2022-1892: A buffer overflow in the SystemBootManagerDxe driver in some Lenovo Notebook products may allow an attacker with local privileges to execute arbitrary↗2023-01-23

▶