CVE-2022-48189

MEDIUM

Lenovo ThinkPad E/L Series Firmware - Authenticated Arbitrary Code Execution via SMM Driver Input Validation

Title source: llm

Description

An SMM driver input validation vulnerability in the BIOS of some ThinkPad models could allow an attacker with local access and elevated privileges to execute arbitrary code.

References (1)

Core 1

Core References

Vendor Advisory

https://support.lenovo.com/us/en/product_security/LEN-106014

Scores

CVSS v3 6.7

EPSS 0.0002

EPSS Percentile 6.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (50)

lenovo/thinkpad_e14_firmware < 1.23

lenovo/thinkpad_e14_gen_2_firmware < 1.55

lenovo/thinkpad_e14_gen_4_firmware < 1.18

lenovo/thinkpad_e15_firmware < 1.23

lenovo/thinkpad_e15_gen_2_firmware < 1.55

lenovo/thinkpad_e15_gen_4_firmware < 1.18

lenovo/thinkpad_e490_firmware < 1.34

lenovo/thinkpad_e490s_firmware < 1.34

lenovo/thinkpad_e590_firmware < 1.34

lenovo/thinkpad_l13_gen_3_firmware < 1.14

... and 40 more

Published Oct 30, 2023

Tracked Since Feb 18, 2026