CVE-2024-23593 — Improper Validation of Specified Quantity in Input in Lenovo Windows 7 AND 8 PC Preloads

CWE-1284 — Improper Validation of Specified Quantity in Input CWE-121 — Stack-based Buffer Overflow6 documents5 sources

Severity

6.7MEDIUMNVD

EPSS

0.0%

top 86.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Windows 7 AND 8 PC Preloads Msrc Windows 10 Version 1809 FOR 32-bit Systems Msrc Windows 10 Version 1809 FOR Arm64-based Systems +16 more

Timeline

PublishedApr 15

Description

A vulnerability was reported in a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 2014 that could allow a privileged attacker with local access to modify the boot manager and escalate privileges.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages19 packages

▶msrcmsrc/windows_10_version_1809_for_32-bit_systems

▶msrcmsrc/windows_10_version_21h2_for_32-bit_systems

▶msrcmsrc/windows_10_version_22h2_for_32-bit_systems

▶msrcmsrc/windows_10_version_1809_for_x64-based_systems

▶msrcmsrc/windows_10_version_21h2_for_x64-based_systems

🔴Vulnerability Details

GHSA

GHSA-pcf5-pv9f-hrqm: A vulnerability was reported in a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 201↗2024-04-15

▶

📋Vendor Advisories

Microsoft

Lenovo: CVE-2024-23593 Modify Boot Manager and Escalate Privileges↗2024-04-09

▶

🕵️Threat Intelligence

Trendmicro

The April 2024 Security Updates Review↗2024-04-09

▶

Bleepingcomputer

Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs↗2024-04-09

▶

Trendmicro

The April 2024 Security Updates Review↗2024-04-09

▶