Description
A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as “On” in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode.
Published: 2026-01-14
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Secure Boot Disablement
Action: Patch
AI Analysis

Impact

A firmware weakness in the BIOS of certain Lenovo ThinkPad models can cause Secure Boot to be turned off even when it is configured as "On" in the BIOS setup, but only when Secure Boot is set to User Mode. This flaw undermines the integrity of the boot process, allowing unsigned or tampered code to run during startup without detection. The weakness is identified as CWE‑252 (Unchecked Return Value).

Affected Systems

Affected devices include Lenovo ThinkPad L13 Gen 6 2‑in‑1, L13 Gen 6, L14 Gen 6, and L16 Gen 2 laptops. The issue is present in the BIOS firmware of these models, and updating to the latest BIOS firmware released by Lenovo is required to remediate it.

Risk and Exploitability

The vulnerability carries a CVSS score of 7, indicating high severity, but the EPSS score is below 1% and it is not listed in the CISA KEV catalog, implying a low probability of exploitation under current conditions. The likely attack surface involves firmware update or physical access, as the flaw manifests during BIOS operation. The presence of the problem only in User Mode suggests that an attacker could render Secure Boot ineffective after triggering the bug, potentially enabling unsigned payloads to boot.

Generated by OpenCVE AI on April 18, 2026 at 16:14 UTC.

Remediation

Vendor Solution

Update to the version (or higher) as recommended in the Product Impact section in the advisory:  https://support.lenovo.com/us/en/product_security/LEN-210688

OpenCVE Recommended Actions

  • Apply the latest BIOS firmware update for the affected Lenovo ThinkPad models as specified by Lenovo in the support advisory.
  • If an immediate firmware update cannot be performed, switch Secure Boot configuration from User Mode to Standard Mode or temporarily disable Secure Boot until the update is applied.
  • Before installing the firmware, verify the update’s digital signature against Lenovo’s signed keys to ensure authenticity and prevent downgrade or tampering attacks.

Generated by OpenCVE AI on April 18, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Lenovo BIOS Vulnerability Allowing Secure Boot Disablement

Thu, 15 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
Description A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as “On” in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode.
First Time appeared Lenovo
Lenovo thinkpad L13 Gen 6 2 In 1 Bios
Lenovo thinkpad L13 Gen 6 Bios
Lenovo thinkpad L14 Gen 6 Bios
Lenovo thinkpad L16 Gen 2 Bios
Weaknesses CWE-252
CPEs cpe:2.3:a:lenovo:thinkpad_l13_gen_6_2_in_1_bios:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:thinkpad_l13_gen_6_bios:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:thinkpad_l14_gen_6_bios:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:thinkpad_l16_gen_2_bios:*:*:*:*:*:*:*:*
Vendors & Products Lenovo
Lenovo thinkpad L13 Gen 6 2 In 1 Bios
Lenovo thinkpad L13 Gen 6 Bios
Lenovo thinkpad L14 Gen 6 Bios
Lenovo thinkpad L16 Gen 2 Bios
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Thinkpad L13 Gen 6 2 In 1 Bios Thinkpad L13 Gen 6 Bios Thinkpad L14 Gen 6 Bios Thinkpad L16 Gen 2 Bios
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-02-26T15:04:07.954Z

Reserved: 2025-12-04T19:05:55.282Z

Link: CVE-2026-0421

cve-icon Vulnrichment

Updated: 2026-01-15T13:54:33.827Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T23:15:56.397

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses