Skip to main content

Thinkpad E14 Firmware CVE-2023-2290

MEDIUM
Out-of-bounds Write (CWE-787)
2023-06-26 psirt@lenovo.com
Memory Corruption Buffer Overflow RCE Thinkpad E14 Firmware Thinkpad E14 Gen 2 Firmware Thinkpad E14 Gen 4 Firmware Thinkpad E15 Firmware Thinkpad E15 Gen 2 Firmware Thinkpad E15 Gen 4 Firmware Thinkpad E490 Firmware Thinkpad E490S Firmware Thinkpad E590 Firmware Thinkpad L13 Gen 3 Firmware Thinkpad L13 Yoga Gen 3 Firmware Thinkpad L14 Firmware Thinkpad L15 Firmware Thinkpad L15 Gen 2 Firmware Thinkpad L15 Gen 3 Firmware Thinkpad L490 Firmware Thinkpad L590 Firmware Thinkpad P1 Gen 2 Firmware Thinkpad P1 Gen 3 Firmware Thinkpad P1 Gen 4 Firmware Thinkpad P1 Gen 5 Firmware Thinkpad P14S Gen 1 Firmware Thinkpad P14S Gen 2 Firmware Thinkpad P14S Gen 3 Firmware Thinkpad P15 Gen 1 Firmware Thinkpad P15 Gen 2 Firmware Thinkpad P15S Gen 1 Firmware Thinkpad P15S Gen 2 Firmware Thinkpad P15V Gen 1 Firmware Thinkpad P15V Gen 2 Firmware Thinkpad P15V Gen 3 Firmware Thinkpad P16 Gen 1 Firmware Thinkpad P16S Gen 1 Firmware Thinkpad P17 Gen 1 Firmware Thinkpad P17 Gen 2 Firmware Thinkpad P43S Firmware Thinkpad P53 Firmware Thinkpad P53S Firmware Thinkpad P73 Firmware Thinkpad T14 Gen 1 Firmware Thinkpad T14 Gen 2 Firmware Thinkpad T14 Gen 3 Firmware Thinkpad T14S Firmware Thinkpad T14S Gen 2 Firmware Thinkpad T14S Gen 3 Firmware Thinkpad T15 Firmware Thinkpad T15 Gen 2 Firmware Thinkpad T15G Gen 1 Firmware Thinkpad T15G Gen 2 Firmware Thinkpad T15P Gen 1 Firmware Thinkpad T15P Gen 2 Firmware Thinkpad T15P Gen 3 Firmware Thinkpad T16 Gen 1 Firmware Thinkpad T490 Firmware Thinkpad T490S Firmware Thinkpad T590 Firmware Thinkpad Thinkpad R14 Gen 2 Firmware Thinkpad Thinkpad R14 Gen 4 Firmware Thinkpad Thinkpad S3 2Nd Gen Firmware Thinkpad X1 Carbon 10Th Gen Firmware Thinkpad X1 Carbon 7Th Gen Firmware Thinkpad X1 Carbon 8Th Gen Firmware Thinkpad X1 Carbon 9Th Gen Firmware Thinkpad X1 Extreme 2Nd Gen Firmware Thinkpad X1 Extreme 3Rd Gen Firmware Thinkpad X1 Extreme 4Th Gen Firmware Thinkpad X1 Extreme Gen 5 Firmware Thinkpad X1 Nano Gen 1 Firmware Thinkpad X1 Nano Gen 2 Firmware Thinkpad X1 Titanium Firmware Thinkpad X1 Yoga 4Th Gen Firmware Thinkpad X1 Yoga 5Th Gen Firmware Thinkpad X1 Yoga 6Th Gen Firmware Thinkpad X1 Yoga 7Th Gen Firmware Thinkpad X12 Detachable Gen 1 Firmware Thinkpad X13 Firmware Thinkpad X13 Gen 2 Firmware Thinkpad X13 Gen 3 Firmware Thinkpad X13 Yoga Gen 1 Firmware Thinkpad X13 Yoga Gen 2 Firmware Thinkpad X13 Yoga Gen 3 Firmware Thinkpad X390 Firmware Thinkpad X390 Yoga Firmware Thinkpad Z13 Gen 1 Firmware Thinkpad Z16 Gen 1 Firmware
6.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 26, 2023 - 20:15 nvd
MEDIUM 6.7

DescriptionNVD

A potential vulnerability in the LenovoFlashDeviceInterface SMI handler may allow an attacker with local access and elevated privileges to execute arbitrary code.

AnalysisAI

A potential vulnerability in the LenovoFlashDeviceInterface SMI handler may allow an attacker with local access and elevated privileges to execute arbitrary code. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Write (CWE-787), which allows attackers to write data beyond allocated buffer boundaries leading to code execution or crashes. A potential vulnerability in the LenovoFlashDeviceInterface SMI handler may allow an attacker with local access and elevated privileges to execute arbitrary code. Affected products include: Lenovo Thinkpad E14 Firmware, Lenovo Thinkpad E14 Gen 2 Firmware, Lenovo Thinkpad E14 Gen 4 Firmware, Lenovo Thinkpad E15 Firmware, Lenovo Thinkpad E15 Gen 2 Firmware.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate write boundaries, use memory-safe languages, enable compiler protections (ASLR, stack canaries).

Share

CVE-2023-2290 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy