Privacy Ninja

New Lenovo BIOS Updates Fix Security Bugs in Hundreds of Models

New Lenovo BIOS Updates Fix Security Bugs in Hundreds of Models

Chinese computer manufacturer Lenovo has issued a security advisory to warn of several high-severity BIOS vulnerabilities impacting hundreds of devices in the various models (Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem).

Also Read: PDP Act (Personal Data Protection Act) Laws and Regulation

Exploiting the flaws may lead to information disclosure, privilege escalation, denial of service, and, under certain circumstances, arbitrary code execution.

The vulnerabilities in Lenovo’s security advisory are the following:

  • CVE-2021-28216: Fixed pointer flaw in TianoCore EDK II BIOS (reference implementation of UEFI), allowing an attacker to elevate privileges and execute arbitrary code.
  • CVE-2022-40134: Information leak flaw in the SMI Set Bios Password SMI Handler, allowing an attacker to read SMM memory.
  • CVE-2022-40135: Information leak vulnerability in the Smart USB Protection SMI Handler, allowing an attacker to read SMM memory.
  • CVE-2022-40136: Information leak flaw in SMI Handler used for configuring platform settings over WMI, enabling an attacker to read SMM memory.
  • CVE-2022-40137: Buffer overflow in the WMI SMI Handler, enabling an attacker to execute arbitrary code.
  • American Megatrends security enhancements (no CVEs).

SMM (Ring -2) is part of the UEFI firmware that provides system-wide functions like low-level hardware control and power management.

Also Read: Top 10 Best Freelance Testing Websites That Will Pay You

Access to SMM could be extended to the operating system and RAM, and storage resources; that’s why both AMD and Intel have developed SMM isolation mechanisms to keep user data safe from low-level threats.


Lenovo has fixed the issues in the latest BIOS updates for impacted products. Most of the patches were released in are available since released in July and August 2022.

Additional patches are expected by the end of September and October, while a short list of models will receive the updates next year.

A complete list of the impacted computer models and the BIOS firmware version that addresses each vulnerability is included in the security bulletin, with links to the download portal for each model.

Alternatively, Lenovo computer owners may navigate to the “Drivers & Software” portal, search for their product by name, select “Manual Update”, and download the latest available BIOS firmware version.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us