1. Home
  2. CVE Database
  3. CVE-2021-3786
MEDIUM · 4.4

CVE-2021-3786

A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range.

Vulnerability Description

A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range.

CVSS Score

4.4

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Affected Products

VendorProductVersions
LenovoThinkpad X380 Yoga Firmware< 2020-10-31
LenovoThinkpad X380 Yoga-
LenovoThinkpad X1 Fold Gen 1 Firmware< 2021-10-29
LenovoThinkpad X1 Fold Gen 1-
LenovoThinkpad Yoga 260 Firmware< 2021-10-25
LenovoThinkpad Yoga 260-
LenovoThinkpad Yoga 11E 3Rd Gen Firmware< 2021-10-31
LenovoThinkpad Yoga 11E 3Rd Gen-
LenovoThinkpad Yoga 15 Firmware< n19et66w
LenovoThinkpad Yoga 15-
LenovoThinkpad Yoga 370 Firmware< 2021-10-31
LenovoThinkpad Yoga 370-
LenovoThinkpad X12 Detachable Gen 1 Firmware< 2021-10-31
LenovoThinkpad X12 Detachable Gen 1-
LenovoThinkpad X390 Firmware< n2jet96w
LenovoThinkpad X390-
LenovoThinkpad Yoga 11E 4Th Gen Firmware< 2021-10-31
LenovoThinkpad Yoga 11E 4Th Gen-
LenovoThinkpad Yoga 11E 5Th Gen Firmware< 2021-10-31
LenovoThinkpad Yoga 11E 5Th Gen-

Related Weaknesses (CWE)

CWE-20

References

FAQ

What is CVE-2021-3786?

CVE-2021-3786 is a vulnerability with a CVSS score of 4.4 (MEDIUM). A potential vulnerability in the SMI callback function used in CSME configuration of some Lenovo Notebook and ThinkPad systems could be used to leak out data out of the SMRAM range.

How severe is CVE-2021-3786?

CVE-2021-3786 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-3786?

Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Thinkpad X380 Yoga Firmware, Lenovo Thinkpad X380 Yoga, Lenovo Thinkpad X1 Fold Gen 1 Firmware, Lenovo Thinkpad X1 Fold Gen 1, Lenovo Thinkpad Yoga 260 Firmware.