Strix
26.1K

CVE-2022-40137

MEDIUMCVSS 6.7/10EPSS 0.23%

Last modified

CVE-2022-40137 is a medium-severity vulnerability rated 6.7/10 on the CVSS scale. A buffer overflow in the WMI SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to execute arbitrary code.. EPSS estimates a 0.23% chance of exploitation in the next 30 days.

Description

A buffer overflow in the WMI SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to execute arbitrary code.

Metrics

CVSS 3.1
6.7/10

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.23%

13.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
LenovoIdeacentre C5-14imb05 Firmwareo4hkt3aa
LenovoIdeacentre E96z Firmwarem26kt24a
LenovoIdeacentre 3 07iab7 Firmwarem49kt1da
LenovoIdeacentre 3-07imb05 Firmwarem2vkt1fa
LenovoIdeacentre 5 14iab7 Firmwarem42kt40a
LenovoIdeacentre 5-14acn6 Firmwareo5ekt23a
LenovoIdeacentre 5-14imb05 Firmwareo4hkt3aa
LenovoIdeacentre 5-14iob6 Firmwarem3gkt38a
LenovoIdeacentre Aio 3-22ada6 Firmwareo5ckt24a
LenovoIdeacentre Aio 3-22iil5 Firmwareo56kt22a
LenovoIdeacentre Aio 3-22itl6 Firmwareo5akt31a
LenovoIdeacentre Aio 3-24ada6 Firmwareo5ckt24a
LenovoIdeacentre Aio 3-24alc6 Firmwareo5bkt24a
LenovoIdeacentre Aio 3-24iil5 Firmwareo56kt22a
LenovoIdeacentre Aio 3-24itl6 Firmwareo5akt31a
LenovoIdeacentre Aio 3-27alc6 Firmwareo5bkt24a
LenovoIdeacentre Aio 3-27itl6 Firmwareo5akt31a
LenovoIdeacentre G5-14imb05 Firmwareo4hkt3aa
LenovoIdeacentre Gaming 5 17acn7 Firmwareo5ekt23a
LenovoIdeacentre Gaming 5 17iab7 Firmwarem42kt40a
LenovoIdeacentre Gaming 5-14acn6 Firmwareo5ekt23a
LenovoIdeacentre Gaming 5-14iob6 Firmwarem3gkt38a
LenovoIdeacentre Mini 5-01imh05 Firmwareo4ekt17a
LenovoLegion C530-19icb Firmwareo4bkt21a
LenovoLegion T5-26iob6 Firmwareo54kt20a
LenovoLegion T5-28icb05 Firmwareo4bkt21a
LenovoLegion T530-28apr Firmwareo4gkt17a
LenovoLegion T530-28icb Firmwareo4bkt21a
LenovoLegion T7-34imz5 Firmwareo4lkt1fa
LenovoLegion T7-34imz5 Firmwareo5fkt14a
LenovoIdeacentre M60e Tiny Firmwarem3skt21a
LenovoIdeacentre M625q Firmwarem1wkt46a
LenovoIdeacentre M630e Firmwarem28kt39a
LenovoIdeacentre M700 Tiny Firmwarefwktbfa
LenovoIdeacentre M70a Firmwarem2skt26a
LenovoIdeacentre M70a Gen 2 Firmwarem3nkt21a
LenovoIdeacentre M70a Gen 3 Firmwarem4ekt18a
LenovoIdeacentre M70c Firmwarem2vkt1fa
LenovoIdeacentre M70q Firmwarem2wkt55a
LenovoIdeacentre M70q Gen 2 Firmwarem3jkt35a
LenovoIdeacentre M70q Gen 3 Firmwarem43kt16a
LenovoIdeacentre M70s Firmwarem2tkt50a
LenovoIdeacentre M70s Gen 3 Firmwarem41kt2da
LenovoIdeacentre M70t Firmwarem2tkt50a
LenovoIdeacentre M70t Gen 3 Firmwarem41kt2da
LenovoIdeacentre M710e Firmwarem1zkt39a
LenovoIdeacentre M710q Firmwarem1akt56a
LenovoIdeacentre M710s Firmwarem16kt69a
LenovoIdeacentre M710t Firmwarem16kt69a
LenovoIdeacentre M715q 2nd Gen Firmwarem1xkt58a

Showing 50 of 296 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-40137?
A buffer overflow in the WMI SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to execute arbitrary code.
How severe is CVE-2022-40137?
CVE-2022-40137 has a CVSS score of 6.7/10 (MEDIUM severity). The EPSS model estimates a 0.23% probability of exploitation in the next 30 days.
How do I fix CVE-2022-40137?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-40137?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST