Description
During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges.
Published: 2026-04-15
Score: 7 High
EPSS: n/a
KEV: No
Impact: Privilege Escalation
Action: Patch Update
AI Analysis

Impact

Lenovo Software Fix contains a flaw in its installation process that allows a local authenticated user to run code with elevated privileges. Because the installation function is executed with administrative rights, an attacker can execute arbitrary commands during setup, resulting in the potential acquisition of full system control and the ability to read, modify, or delete files and configurations.

Affected Systems

All installations of Lenovo Software Fix older than version 7.5.5.19 are vulnerable, regardless of operating system, as the issue was identified during an internal security assessment and applies to deployments where local users can run the installer.

Risk and Exploitability

The CVSS score of 7 indicates high severity. No public evidence of exploitation exists, and the exploitability is limited to users with local authenticated access to install the software; therefore the attack vector is local. Although the EPSS score is unavailable, the high CVSS and local nature of the vulnerability warrant timely patching to prevent privilege escalation.

Generated by OpenCVE AI on April 15, 2026 at 14:20 UTC.

Remediation

Vendor Solution

Update Lenovo Software Fix to version 7.5.5.19 or later.

OpenCVE Recommended Actions

  • Update Lenovo Software Fix to version 7.5.5.19 or later.
  • Restrict installation privileges to authorized administrators and enforce the principle of least privilege during deployment.
  • Verify that installation directories and libraries have appropriate permissions and monitor for unauthorized changes.
  • Configure audit logging to detect any attempts to modify system libraries during installation.

Generated by OpenCVE AI on April 15, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation During Lenovo Software Fix Installation

Wed, 15 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges.
First Time appeared Lenovo
Lenovo software Fix
Weaknesses CWE-427
CPEs cpe:2.3:a:lenovo:software_fix:*:*:*:*:*:*:*:*
Vendors & Products Lenovo
Lenovo software Fix
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Software Fix
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-04-15T13:08:19.333Z

Reserved: 2026-03-13T14:48:30.665Z

Link: CVE-2026-4134

cve-icon Vulnrichment

Updated: 2026-04-15T13:07:45.969Z

cve-icon NVD

Status : Received

Published: 2026-04-15T13:16:24.480

Modified: 2026-04-15T13:16:24.480

Link: CVE-2026-4134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:52:54Z

Weaknesses