Cyber Posture

CVE-2026-4145

High

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4145 is a high-severity Argument Injection (CWE-88) vulnerability in Lenovo Software Fix (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and remediation of flaws like CVE-2026-4145 through patching the vulnerable Lenovo Software Fix component.

SI-10 Information Input Validation good match
prevent

Implements input validation at entry points to neutralize argument delimiters and prevent CWE-88 argument injection exploited by local authenticated users.

AC-6 Least Privilege partial match
prevent

Enforces least privilege for users and processes to mitigate the impact of arbitrary code execution with elevated privileges.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The CVE describes a local privilege escalation vulnerability via argument injection (CWE-88) allowing arbitrary code execution with elevated privileges from a low-privileged authenticated user, directly matching Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix that could allow a local authenticated user to perform arbitrary code execution with elevated privileges.

Deeper analysisAI

CVE-2026-4145 is a privilege escalation vulnerability discovered during an internal security assessment in Lenovo Software Fix. It enables a local authenticated user to execute arbitrary code with elevated privileges, stemming from CWE-88 (Improper Neutralization of Argument Delimiters in a Command, or argument injection). The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability with local access required.

A local authenticated user with low privileges can exploit this vulnerability without user interaction and with low complexity. Successful exploitation allows the attacker to gain elevated privileges, potentially leading to full system compromise on affected Lenovo systems running the vulnerable Software Fix component.

Lenovo has published an advisory at https://support.lenovo.com/us/en/product_security/LEN-213829 detailing the issue, with recommendations for mitigation through patching or other protective measures. The CVE was published on 2026-04-15T13:16:24.837.

Details

CWE(s)
CWE-88

Affected Products

Lenovo
Software Fix
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-0065Shared CWE-88
CVE-2025-15316Shared CWE-88
CVE-2025-15315Shared CWE-88
CVE-2026-0634Shared CWE-88
CVE-2026-1715Shared CWE-88
CVE-2025-12556Shared CWE-88
CVE-2026-24061Shared CWE-88
CVE-2026-26194Shared CWE-88
CVE-2026-29954Shared CWE-88
CVE-2026-22582Shared CWE-88

References