Platform
windows
Component
lenovo-software-fix
Fixed in
7.5.5.19
CVE-2026-4135 describes an Arbitrary File Access vulnerability discovered in Lenovo Software Fix. This flaw allows a local, authenticated user to write arbitrary files with elevated privileges during the installation process, potentially leading to system compromise. The vulnerability affects versions from 0.0.0 up to and including 7.5.5.19, and a fix is available in version 7.5.5.19.
Successful exploitation of CVE-2026-4135 could allow an attacker with local access and authentication to gain elevated privileges and write arbitrary files to the system. This could involve overwriting critical system files, installing malicious software, or modifying configuration data. The impact is significant as it could lead to complete system control. While the vulnerability requires local access, it bypasses standard user privilege restrictions, making it a serious security concern, especially in environments where user accounts have elevated permissions.
CVE-2026-4135 was publicly disclosed on 2026-04-15. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept exploits are currently unavailable, but the arbitrary file write capability presents a significant risk if exploited.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4135 is to upgrade Lenovo Software Fix to version 7.5.5.19 or later. If immediate upgrading is not possible due to compatibility issues or system downtime constraints, consider restricting user privileges to minimize the potential impact of a successful exploit. Implementing strict file access controls and monitoring installation processes can also help detect and prevent unauthorized file modifications. There are no specific WAF or proxy rules applicable to this vulnerability as it occurs during the installation process.
Update Lenovo Software Fix to version 7.5.5.19 or later to mitigate the arbitrary file write vulnerability. See the Lenovo security page (https://support.lenovo.com/us/en/product_security/LEN-213829) for detailed instructions on how to apply the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4135 is a vulnerability in Lenovo Software Fix allowing a local authenticated user to write arbitrary files with elevated privileges during installation, potentially leading to system compromise.
You are affected if you are using Lenovo Software Fix versions 0.0.0 through 7.5.5.19. Upgrade to version 7.5.5.19 or later to mitigate the risk.
Upgrade Lenovo Software Fix to version 7.5.5.19 or later. If upgrading is not immediately possible, restrict user privileges and monitor installation processes.
There is currently no indication of active exploitation, but the vulnerability's nature presents a significant risk if exploited.
Refer to the official Lenovo Software Fix advisory for detailed information and updates regarding CVE-2026-4135.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.