{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0421", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "state": "PUBLISHED", "assignerShortName": "lenovo", "dateReserved": "2025-12-04T19:05:55.282Z", "datePublished": "2026-01-14T22:18:56.115Z", "dateUpdated": "2026-02-26T15:04:07.954Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ThinkPad L13 Gen 6 BIOS", "vendor": "Lenovo", "versions": [{"lessThan": "1.10", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "ThinkPad L13 Gen 6 2 in 1 BIOS", "vendor": "Lenovo", "versions": [{"lessThan": "1.10", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "ThinkPad L14 Gen 6 BIOS", "vendor": "Lenovo", "versions": [{"lessThan": "1.06", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "ThinkPad L16 Gen 2 BIOS", "vendor": "Lenovo", "versions": [{"lessThan": "1.06", "status": "affected", "version": "0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:thinkpad_l13_gen_6_bios:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.10", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:thinkpad_l13_gen_6_2_in_1_bios:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.10", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:thinkpad_l14_gen_6_bios:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.06", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:thinkpad_l16_gen_2_bios:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.06", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as \u201cOn\u201d in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode."}], "value": "A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as \u201cOn\u201d in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-252", "description": "CWE-252: Unchecked Return Value", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2026-01-14T22:18:56.115Z"}, "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-210688"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Update to the version (or higher) as recommended in the Product Impact section in the advisory:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/LEN-210688\">https://support.lenovo.com/us/en/product_security/LEN-210688</a></span><br>"}], "value": "Update to the version (or higher) as recommended in the Product Impact section in the advisory:\u00a0 https://support.lenovo.com/us/en/product_security/LEN-210688"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.3.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0421", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-16T04:55:45.785849Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:07.954Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0421", "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "state": "PUBLISHED", "assignerShortName": "lenovo", "dateReserved": "2025-12-04T19:05:55.282Z", "datePublished": "2026-01-14T22:18:56.115Z", "dateUpdated": "2026-01-16T04:55:44.710Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ThinkPad L13 Gen 6 BIOS", "vendor": "Lenovo", "versions": [{"lessThan": "1.10", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "ThinkPad L13 Gen 6 2 in 1 BIOS", "vendor": "Lenovo", "versions": [{"lessThan": "1.10", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "ThinkPad L14 Gen 6 BIOS", "vendor": "Lenovo", "versions": [{"lessThan": "1.06", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "ThinkPad L16 Gen 2 BIOS", "vendor": "Lenovo", "versions": [{"lessThan": "1.06", "status": "affected", "version": "0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:thinkpad_l13_gen_6_bios:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.10", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:thinkpad_l13_gen_6_2_in_1_bios:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.10", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:thinkpad_l14_gen_6_bios:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.06", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:thinkpad_l16_gen_2_bios:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.06", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as \u201cOn\u201d in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode."}], "value": "A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as \u201cOn\u201d in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-252", "description": "CWE-252: Unchecked Return Value", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo", "dateUpdated": "2026-01-14T22:18:56.115Z"}, "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-210688"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Update to the version (or higher) as recommended in the Product Impact section in the advisory:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/LEN-210688\">https://support.lenovo.com/us/en/product_security/LEN-210688</a></span><br>"}], "value": "Update to the version (or higher) as recommended in the Product Impact section in the advisory:\u00a0 https://support.lenovo.com/us/en/product_security/LEN-210688"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.3.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0421", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-16T04:55:45.785849Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T13:54:33.827Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as \u201cOn\u201d in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode."}, {"lang": "es", "value": "Una posible vulnerabilidad fue reportada en la BIOS de los ThinkPads L13 Gen 6, L13 Gen 6 2-en-1, L14 Gen 6 y L16 Gen 2, lo que podr\u00eda resultar en que Secure Boot se desactive incluso cuando est\u00e1 configurado como 'On' en el men\u00fa de configuraci\u00f3n de la BIOS. Este problema solo afecta a los sistemas donde Secure Boot est\u00e1 configurado en Modo Usuario."}], "id": "CVE-2026-0421", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.9, "source": "psirt@lenovo.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "psirt@lenovo.com", "type": "Secondary"}]}, "published": "2026-01-14T23:15:56.397", "references": [{"source": "psirt@lenovo.com", "url": "https://support.lenovo.com/us/en/product_security/LEN-210688"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-252"}], "source": "psirt@lenovo.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:14:16.144054+00:00", "value": {"mitigation_remediation": ["Apply the latest BIOS firmware update for the affected Lenovo ThinkPad models as specified by Lenovo in the support advisory.", "If an immediate firmware update cannot be performed, switch Secure Boot configuration from User Mode to Standard Mode or temporarily disable Secure Boot until the update is applied.", "Before installing the firmware, verify the update\u2019s digital signature against Lenovo\u2019s signed keys to ensure authenticity and prevent downgrade or tampering attacks."], "summary": {"action": "Patch", "impact": "Secure Boot Disablement"}, "threat_synthesis": {"affected_systems": "Affected devices include Lenovo ThinkPad L13 Gen\u00a06 2\u2011in\u20111, L13 Gen\u00a06, L14 Gen\u00a06, and L16 Gen\u00a02 laptops. The issue is present in the BIOS firmware of these models, and updating to the latest BIOS firmware released by Lenovo is required to remediate it.", "description_and_impact": "A firmware weakness in the BIOS of certain Lenovo ThinkPad models can cause Secure Boot to be turned off even when it is configured as \"On\" in the BIOS setup, but only when Secure Boot is set to User Mode. This flaw undermines the integrity of the boot process, allowing unsigned or tampered code to run during startup without detection. The weakness is identified as CWE\u2011252 (Unchecked Return Value).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7, indicating high severity, but the EPSS score is below 1% and it is not listed in the CISA KEV catalog, implying a low probability of exploitation under current conditions. The likely attack surface involves firmware update or physical access, as the flaw manifests during BIOS operation. The presence of the problem only in User Mode suggests that an attacker could render Secure Boot ineffective after triggering the bug, potentially enabling unsigned payloads to boot."}}}}, "created": "2026-04-18T16:15:04.610784+00:00", "title": "Lenovo BIOS Vulnerability Allowing Secure Boot Disablement", "updated": "2026-04-18T16:15:04.610797+00:00", "vendors": []}