Skip to main content

LanSchool Classic EUVDEUVD-2026-36048

| CVE-2026-8637 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-10 lenovo GHSA-4rf2-jfxm-vxmr
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
Jun 10, 2026 - 16:01 EUVD
Analysis Updated
Jun 10, 2026 - 15:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 10, 2026 - 15:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 10, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Jun 10, 2026 - 15:22 NVD
7.8 (HIGH) 8.5 (HIGH)
Analysis Generated
Jun 10, 2026 - 15:20 vuln.today

DescriptionNVD

A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code with elevated privileges.

AnalysisAI

Local privilege escalation in Lenovo's LanSchool Classic client application allows authenticated users on affected endpoints to execute arbitrary code with elevated privileges via an uncontrolled search path (CWE-427). The flaw carries a CVSS 4.0 score of 8.5 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because LanSchool Classic is widely deployed in K-12 and education environments, exploitation could let a student or low-privileged user gain SYSTEM-level control of managed classroom devices.

Technical ContextAI

LanSchool Classic is Lenovo's legacy classroom management client used by teachers to monitor and control student workstations. The root cause is CWE-427 (Uncontrolled Search Path Element), a class of bug where a Windows process loads a DLL or executable using an unqualified or attacker-influenced search path - typically the current working directory, a user-writable directory in PATH, or an application directory with weak ACLs. When the LanSchool Classic client runs with elevated privileges (which is typical for endpoint-management agents that need to enforce policy, lock screens, or take control of remote sessions), a low-privileged user who can place a malicious DLL or binary in an earlier search-path location causes the privileged process to load attacker-controlled code, yielding a privilege escalation. The CPE cpe:2.3:a:lenovo:lanschool_classic:*:*:*:*:*:*:*:* indicates all versions are in scope pending Lenovo's clarification in advisory LEN-217400.

RemediationAI

Patch available per vendor advisory - consult Lenovo Product Security advisory LEN-217400 at https://support.lenovo.com/us/en/product_security/LEN-217400 for the exact fixed client version and upgrade all LanSchool Classic student and teacher endpoints accordingly; exact fix version is not stated in the input data and must be taken from the advisory. Until patching is complete, compensating controls include tightening NTFS ACLs on the LanSchool Classic installation directory so that non-admin users cannot create or modify files there, removing user-writable directories that appear earlier than system directories in the system PATH, and using AppLocker or Windows Defender Application Control to block execution of unsigned DLLs and binaries from user-writable paths (note this can break legitimate per-user software and requires testing). On shared classroom devices where students are local users, consider temporarily stopping the LanSchool Classic service if classroom management can be paused, accepting the trade-off of losing monitoring capability during that window.

Share

EUVD-2026-36048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy