Description
During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to perform an arbitrary file write with elevated privileges.
Published: 2026-04-15
Score: 5.2 Medium
EPSS: n/a
KEV: No
Impact: Local Privilege Escalation via Arbitrary File Write
Action: Patch Update
AI Analysis

Impact

The vulnerability exists in Lenovo Software Fix and allows a local authenticated user to perform an arbitrary file write with elevated privileges during the installation process. This file write flaw, classified as CWE‑59, means an attacker could overwrite critical system files or binaries, potentially leading to privilege escalation or a full compromise of the affected machine. The impact is primarily an integrity and confidentiality breach where unauthorized changes could enable malicious code execution.

Affected Systems

The affected product is Lenovo Software Fix from Lenovo. Any installation that falls below the patched version 7.5.5.19 is vulnerable; upgrading to 7.5.5.19 or later resolves the issue. No specific sub‑versions were enumerated, so all older builds lacking the patch should be considered at risk.

Risk and Exploitability

The CVSS base score of 5.2 indicates a medium severity threat; the EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that the attack surface is limited to local and authenticated users who can trigger an installer run. Because the flaw allows elevated file writes, exploitation requires local administrative access, making widespread use unlikely, yet the flaw remains dangerous if leveraged for privilege escalation.

Generated by OpenCVE AI on April 15, 2026 at 13:50 UTC.

Remediation

Vendor Solution

Update Lenovo Software Fix to version 7.5.5.19 or later.

OpenCVE Recommended Actions

  • Apply the Lenovo Software Fix update to version 7.5.5.19 or later.
  • Reinstall the updated Software Fix to eliminate any residual vulnerable components.
  • Restrict installation rights so only trusted administrators can run the installer, reducing the attack surface.

Generated by OpenCVE AI on April 15, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Local Authenticated File Write Vulnerability in Lenovo Software Fix

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to perform an arbitrary file write with elevated privileges.
First Time appeared Lenovo
Lenovo software Fix
Weaknesses CWE-59
CPEs cpe:2.3:a:lenovo:software_fix:*:*:*:*:*:*:*:*
Vendors & Products Lenovo
Lenovo software Fix
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 5.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Software Fix
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-04-15T13:05:12.030Z

Reserved: 2026-03-13T14:48:31.899Z

Link: CVE-2026-4135

cve-icon Vulnrichment

Updated: 2026-04-15T13:05:05.224Z

cve-icon NVD

Status : Received

Published: 2026-04-15T13:16:24.660

Modified: 2026-04-15T13:16:24.660

Link: CVE-2026-4135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:52:52Z

Weaknesses