Description
During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix that could allow a local authenticated user to perform arbitrary code execution with elevated privileges.
Published: 2026-04-15
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An internal security assessment uncovered that Lenovo Software Fix contains a flaw that permits a local authenticated user to execute arbitrary code with elevated privileges. This weakness, identified as CWE‑88, could enable the attacker to run any commands, modify system settings, or install additional malware, thereby compromising the integrity and confidentiality of the affected system.

Affected Systems

Lenovo Software Fix is affected when installed before update version 7.5.5.19. All versions of the product listed under the Lenovo Software Fix family are vulnerable until the stated patch is applied.

Risk and Exploitability

The vulnerability scores a CVSS base of 8.5, indicating a high severity. The EPSS indicator is not available, but the lack of a KEV listing suggests no widespread public exploitation reports yet. The attack requires local authenticated access, so the threat is primarily internal; however, once a user gains the necessary module, arbitrary code execution is achievable without additional privilege escalation steps.

Generated by OpenCVE AI on April 15, 2026 at 13:20 UTC.

Remediation

Vendor Solution

Update Lenovo Software Fix to version 7.5.5.19 or later.

OpenCVE Recommended Actions

  • Update Lenovo Software Fix to version 7.5.5.19 or later
  • Limit local user accounts from running Software Fix or grant them only the minimal permissions required
  • Enable auditing and monitor for abnormal activity such as unexpected process creation or privilege changes

Generated by OpenCVE AI on April 15, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation in Lenovo Software Fix

Wed, 15 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix that could allow a local authenticated user to perform arbitrary code execution with elevated privileges.
First Time appeared Lenovo
Lenovo software Fix
Weaknesses CWE-88
CPEs cpe:2.3:a:lenovo:software_fix:*:*:*:*:*:*:*:*
Vendors & Products Lenovo
Lenovo software Fix
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Software Fix
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-04-15T13:02:39.038Z

Reserved: 2026-03-13T17:11:27.390Z

Link: CVE-2026-4145

cve-icon Vulnrichment

Updated: 2026-04-15T13:02:13.524Z

cve-icon NVD

Status : Received

Published: 2026-04-15T13:16:24.837

Modified: 2026-04-15T13:16:24.837

Link: CVE-2026-4145

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:52:51Z

Weaknesses