Description
An input validation vulnerability was reported in the LenovoProductivitySystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to terminate arbitrary processes with elevated privileges.
Published: 2026-03-11
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation/Denial of Service
Action: Patch
AI Analysis

Impact

This vulnerability is an input validation flaw in the LenovoProductivitySystemAddin component used by Lenovo Vantage and Lenovo Baiying. A local authenticated user can invoke actions that terminate arbitrary processes running with elevated privileges. Key impact includes the ability to disrupt critical system or security processes, potentially leading to service interruption or denial of service, and could be leveraged as a foothold for privilege escalation. The weakness is classified as CWE‑88, indicating insufficient validation that trusts user input.

Affected Systems

The affected products are Lenovo Vantage and Lenovo Baiying, specifically the LenovoProductivitySystemAddin. Versions prior to 1.0.0.138 of the addin are impacted. Users running any earlier release through Lenovo Vantage or Baiying are vulnerable.

Risk and Exploitability

The CVSS v3.1 score is 6.8, indicating a moderate severity. EPSS is below 1%, suggesting a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attack requires local authentication; the attacker must be able to access the Vantage or Baiying addin to trigger the process termination. No remote execution vector is disclosed.

Generated by OpenCVE AI on March 17, 2026 at 14:53 UTC.

Remediation

Vendor Solution

Update Vantage LenovoProductivitySystemAddin to version 1.0.0.138 or later. LenovoProductivitySystemAddin is automatically updated by Lenovo Vantage and Baiying.

OpenCVE Recommended Actions

  • Update LenovoProductivitySystemAddin to version 1.0.0.138 or later via Lenovo Vantage or Baiying.
  • Verify that automatic updates are enabled for Lenovo Vantage and Baiying to receive future patches.

Generated by OpenCVE AI on March 17, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title Local Authenticated Process Termination via Input Validation in LenovoProductivitySystemAddin

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description An input validation vulnerability was reported in the LenovoProductivitySystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to terminate arbitrary processes with elevated privileges.
First Time appeared Lenovo
Lenovo baiying
Lenovo vantage
Weaknesses CWE-88
CPEs cpe:2.3:a:lenovo:baiying:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:vantage:*:*:*:*:*:*:*:*
Vendors & Products Lenovo
Lenovo baiying
Lenovo vantage
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Baiying Vantage
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-03-12T16:18:25.059Z

Reserved: 2026-01-30T19:00:49.191Z

Link: CVE-2026-1717

cve-icon Vulnrichment

Updated: 2026-03-12T15:35:47.594Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T21:16:15.213

Modified: 2026-03-25T18:22:49.107

Link: CVE-2026-1717

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:10Z

Weaknesses