What is CVE-2021-3970?

CVE-2021-3970 is a medium-severity vulnerability in Lenovo Notebook Bios, classified under Improper Input Validation. CVSS score: 6.7/10. Published 2022-04-22.

How severe is CVE-2021-3970?

Medium severity. CVSS v3 base score is 6.7 out of 10.

Is CVE-2021-3970 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Improper input validation in Lenovo Notebook Bios

CVE-2021-3970

A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models BIOS may allow an attacker with local access and elevated privileges to execute arbitrary code.

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.004 (58.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.7 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Lenovo Notebook Bios — versions various

Weakness classification (CWE)

CWE-20 — Improper Input Validation

Public proof-of-concept exploits

References

support.lenovo.com/us/en/product_security/LEN-73440 (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-3970?: CVE-2021-3970 is a medium-severity vulnerability in Lenovo Notebook Bios, classified under Improper Input Validation. CVSS score: 6.7/10. Published 2022-04-22.
How severe is CVE-2021-3970?: Medium severity. CVSS v3 base score is 6.7 out of 10.
Is CVE-2021-3970 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.