CVE-2022-3431

Name: CVE-2022-3431
Creator: NVD / NIST
Published: 2023-10-09T19:15:09.987+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.8/10EPSS 0.21%

Last modified Jun 17, 2026

CVE-2022-3431 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.. EPSS estimates a 0.21% chance of exploitation in the next 30 days.

Description

A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

Metrics

CVSS 3.1

7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.21%

10.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Lenovo	Ideapad Creator 5-16ach6 Firmware	< gscn34ww
Lenovo	Ideapad 5 Pro-16ihu6 Firmware	< grcn22ww
Lenovo	Ideapad 5 Pro-16ach6 Firmware	< gscn34ww
Lenovo	Yoga Slim 7-13itl05 Firmware	< f7cn39ww
Lenovo	Yoga Slim 7-13acn05 Firmware	< ghcn28ww
Lenovo	Yoga Slim 7 Pro 16arh7 Firmware	< klcn15ww
Lenovo	Yoga Slim 7 Pro 16ach6 Firmware	< hucn16ww
Lenovo	Yoga Slim 7 Carbon 13itl5 Firmware	< f7cn39ww
Lenovo	Yoga Duet 7-13itl6-Lte Firmware	< gpcn24ww
Lenovo	Yoga Duet 7-13itl6 Firmware	< gpcn24ww
Lenovo	Yoga Duet 7-13iml05 Firmware	< ercn30ww
Lenovo	Thinkbook Plus G3 Iap Firmware	< k6cn29ww
Lenovo	Thinkbook Plus G2 Itg Firmware	< gycn31ww
Lenovo	Thinkbook 16p Nx Arh Firmware	< kjcn27ww
Lenovo	Thinkbook 16 G4\+ Iap Firmware	< hycn40ww
Lenovo	Thinkbook 16 G4\+ Ara Firmware	< j6cn40ww
Lenovo	Thinkbook 14 G4\+ Iap Firmware	< hycn40ww
Lenovo	Thinkbook 14 G4\+ Ara Firmware	< j6cn40ww
Lenovo	Thinkbook 13x Itg Firmware	< hlcn30ww
Lenovo	Ideapad Slim 7 Pro 16ach6 Firmware	< hucn16ww
Lenovo	S540-15iml Firmware	< cncn22ww
Lenovo	Slim 7 16arh7 Firmware	< klcn15ww
Lenovo	Ideapad Duet 3 10igl5 Firmware	< eqcn37ww
Lenovo	Ideapad 5 Pro 16arh7 Firmware	< j4cn33ww
Lenovo	D330-10igl Firmware	< g0cn11ww

References

https://support.lenovo.com/us/en/product_security/LEN-94952Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-94952Vendor Advisory

Timeline

Published: Oct 9, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-3431?

How severe is CVE-2022-3431?

CVE-2022-3431 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 0.21% probability of exploitation in the next 30 days.

How do I fix CVE-2022-3431?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-3431?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST