20
CVEs
0
Critical
9
High
0
KEV
1
PoC
0
Unpatched C/H
85.0%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
9
MEDIUM
10
LOW
0
Monthly CVE Trend
Affected Products (30)
Linux Kernel
27
Thinkcentre M625Q Firmware
17
Thinkcentre M80T Firmware
16
Thinkcentre M80S Firmware
16
Thinkcentre M90T Firmware
16
Thinkcentre M90S Firmware
16
Thinkcentre M70S Firmware
15
Ideacentre 5 14Iob6 Firmware
15
Thinkcentre M70Q Firmware
15
Thinkcentre M70T Firmware
15
Ideacentre 3 07Imb05 Firmware
15
Ideacentre G5 14Imb05 Firmware
15
Ideacentre Gaming 5 14Iob6 Firmware
15
Thinkcentre M75S Gen 2 Firmware
15
V30A 22Iml Firmware
15
Thinkcentre M80Q Firmware
15
V50A 22Imb Firmware
15
V50A 24Imb Firmware
15
V50T 13Imb Firmware
15
Thinkcentre M90Q Tiny Firmware
15
Thinkcentre M630E Firmware
15
Thinkcentre M70C Firmware
15
Ideacentre 5 14Imb05 Firmware
15
Thinkcentre M75N Firmware
15
V50S 07Imb Firmware
15
Thinkcentre M90A Firmware
15
Thinkcentre M75T Gen 2 Firmware
15
Ideacentre Creator 5 14Iob6 Firmware
15
V50T 13Imh Firmware
14
Ideacentre Gaming 5 17Iab7 Firmware
14
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-58583 | Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys version 1.0.7.2 lets a standard user map arbitrary physical memory via the \Device\PhysicalMemory object and gain kernel-level control. The flaw affects Lenovo systems shipping this signed color-management driver and is fixed in version 1.0.7.6. Publicly available exploit code exists; there is no public exploit identified as actively exploited (not in CISA KEV), though the vulnerability was reported by CISA (cisa-cg). | HIGH | 8.4 | 0.1% | 62 |
PoC
|
| CVE-2026-6281 | Remote command execution in Lenovo Personal Cloud Storage devices (T1, T2, T2S, T2Pro, X1, X1S, A1, A1S, and Home Storage Hub T20/X20) allows authenticated users on the local network to execute arbitrary commands via OS command injection (CWE-78). The CVSS v4.0 score of 8.7 reflects complete system compromise potential (VC:H/VI:H/VA:H) through network attack with low complexity but requiring low-privilege authentication (AV:N/AC:L/PR:L). No evidence of active exploitation (not in CISA KEV) or public exploit code identified at time of analysis. Lenovo has issued advisories including end-of-life notices for certain models (T1), indicating some affected products may not receive patches. | HIGH | 8.7 | 0.2% | 44 |
|
| CVE-2026-6282 | Path traversal in Lenovo Personal Cloud Storage devices allows authenticated remote attackers to move or access files belonging to other users on the same device, enabling unauthorized data disclosure and modification across user boundaries. Affects multiple product lines including Personal Cloud (T1, T2, T2S, T2Pro, X1, X1S, A1, A1S) and Home Storage Hub (T20, X20). CVSS 8.6 reflects high confidentiality and integrity impact with low attack complexity. No active exploitation confirmed in CISA KEV at time of analysis, and EPSS data not available for this 2026 CVE identifier. | HIGH | 8.6 | 0.1% | 43 |
|
| CVE-2026-4145 | During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix that could allow a local authenticated user to | HIGH | 8.5 | 0.0% | 43 |
|
| CVE-2026-9045 | Local privilege escalation in Lenovo Accessories and Display Manager for Enterprise on Windows allows an authenticated low-privileged user to execute arbitrary code with elevated privileges, per a Lenovo-disclosed internal finding (LEN-213623). The CVSS 4.0 base score of 8.5 reflects high impact to confidentiality, integrity, and availability of the vulnerable system, though no public exploit identified at time of analysis. The CWE-306 (Missing Authentication for Critical Function) classification combined with the 'Authentication Bypass' tag suggests a privileged operation in the product is reachable without proper access checks. | HIGH | 8.5 | 0.0% | 42 |
|
| CVE-2026-31587 | Use-after-free in Linux kernel q6apm audio driver allows local authenticated attackers with low privileges to achieve arbitrary code execution, denial of service, or information disclosure with high impact to confidentiality, integrity, and availability. The flaw affects Qualcomm ASoC q6apm component registration code used in devices like Lenovo 21N2ZC5PUS laptops. Vendor-released patches are available across multiple kernel version branches (6.12.83, 6.18.24, 6.19.14, 7.0.1). EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation despite high CVSS 7.8, with no confirmed active exploitation or public POC identified at time of analysis. | HIGH | 7.8 | 0.0% | 39 |
|
| CVE-2026-6090 | Privilege escalation in Lenovo Smart Connect for Windows allows a local authenticated user to bypass authentication checks and execute arbitrary code with elevated privileges. The flaw stems from an authentication bypass weakness (CWE-290) in the Windows client and carries a CVSS 4.0 score of 7.3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. | HIGH | 7.3 | 0.0% | 36 |
|
| CVE-2026-46055 | Out-of-bounds read in the Linux kernel's AppArmor LSM subsystem (security/apparmor/match.c) allows a local low-privileged user to trigger a KASAN slab-out-of-bounds read via the mount() syscall on kernels 7.0 through 7.0.3 and 7.1-rc1. The flaw stems from a missing string terminator that causes aa_dfa_match() to read past the end of an 8KB kmalloc buffer when processing mount path strings, resulting in potential information disclosure and system instability (denial of service). No public exploit identified at time of analysis, and EPSS probability is negligible at 0.02%. | HIGH | 7.1 | 0.0% | 36 |
|
| CVE-2026-4134 | During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local | HIGH | 7.0 | 0.0% | 35 |
|
| CVE-2026-1715 | Lenovo Vantage and Baiying DeviceSettingsSystemAddin contains an input validation flaw that allows authenticated local users to modify arbitrary registry keys with system-level privileges. This vulnerability could enable privilege escalation or system configuration tampering by an attacker with local access. No patch is currently available. | MEDIUM | 6.9 | 0.0% | 35 |
No patch
|
| CVE-2026-1716 | Lenovo Vantage and Baiying DeviceSettingsSystemAddin contain an input validation flaw that allows authenticated local users to delete arbitrary registry keys with elevated privileges. This vulnerability affects systems where users have local access and could enable attackers to modify system configuration or disable security controls. No patch is currently available. | MEDIUM | 6.9 | 0.0% | 35 |
No patch
|
| CVE-2026-0827 | During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantag | MEDIUM | 6.9 | 0.0% | 35 |
|
| CVE-2026-1717 | LenovoProductivitySystemAddin in Lenovo Vantage and Baiying contains an input validation flaw that enables local authenticated users to terminate arbitrary processes with elevated privileges. This medium-severity vulnerability (CVSS 6.8) requires local access and valid credentials but poses a significant availability risk. No patch is currently available. | MEDIUM | 6.8 | 0.0% | 34 |
No patch
|
| CVE-2026-53305 | NULL pointer dereference in the Linux kernel's ps883x USB Type-C retimer driver causes a kernel Oops during device unbind, resulting in a denial of service. The ps883x_retimer_remove() function calls i2c_get_clientdata() to retrieve driver-private state, but i2c_set_clientdata() was never called during probe, leaving the pointer NULL; dereference at offset 0x20 triggers a fatal translation fault. Systems with ps883x retimer hardware running affected kernel versions are vulnerable when a privileged local user unbinds the driver via sysfs. No active exploitation is confirmed (no CISA KEV listing), and the EPSS score of 0.17% (6th percentile) reflects negligible real-world exploitation probability. | MEDIUM | 5.5 | 0.2% | 28 |
|
| CVE-2025-71297 | Kernel denial of service in rtw88 WiFi driver 8822b chipset allows local authenticated users to trigger a kernel WARNING and potential system instability by setting antenna configuration while the wireless chip is powered off, causing unexpected values when RF registers are read during power-down state. | MEDIUM | 5.5 | 0.0% | 28 |
|