Lenovo laptops open to attack — what to do right now

(Image credit: Tom's Guide)

Three security flaws in hundreds of Lenovo laptops could have exposed millions of users to potentially serious issues, security firm ESET announced today. These vulnerabilities would have allowed hackers to implant malware that would bypass a number 

Affected laptops include Lenovo Ideapads, Flex and Yoga notebooks, and Lenovo Legion gaming laptops. The good news is Lenovo has issued firmware updates for the affected models. Here's everything you need to know, and how to patch your laptop.

Three vulnerabilities found

ESET researcher Martin Smolár discovered three vulnerabilities in Lenovo laptops, and reported it to the company in October, 2021.

The first two vulnerabilities (CVE-2021-3971 and CVE-2021-3972) would have allowed an attacker with access to a laptop to install so-called UEFI malware — malicious code that activates during a notebook's startup, and can bypass built-in security protections. 

These vulnerabilities were a result of Lenovo accidentally leaving in place UEFI firmware drivers, where were meant to only be used during the manufacturing process, according to ESET. These drivers were left in the BIOS images that shipped to consumers. 

The third (CVE-2021-3970) was uncovered during ESET's investigation of the first two issues; this vulnerability would have allowed someone with direct access to a laptop to implant code in a machine's SMRAM. This could then be used to insert malware into a notebook's SPI flash memory chip, which also lets it bypass security protocols.

How to tell if your Lenovo laptop is affected and what to do

On Lenovo's support page, you can find a complete list of the laptops affected by these security vulnerabilities. They include the following models:

  • Ideapad 3 (14-, 15- and 17-inch models)
  • Flex 3
  • L340 gaming laptop
  • Legion 5
  • Legion 5 Pro
  • Legion 7
  • Legion S7
  • Legion Y540
  • Legion Y545
  • Legion Y7000
  • Lenovo S14 G2
  • Ideapad S145
  • Ideapad S540
  • Ideapad Slim 7 Pro
  • Ideapad Slim 9
  • V14 (G1 and G2)
  • Yoga 7
  • Yoga Slim 7 Pro
  • Yoga Slim 9

Lenovo provides links to the support pages for these affected laptops, where you can download the latest firmware updates. We install these updates ASAP so your system is protected. 

Mike Prospero
U.S. Editor-in-Chief, Tom's Guide

Michael A. Prospero is the U.S. Editor-in-Chief for Tom’s Guide. He oversees all evergreen content and oversees the Homes, Smart Home, and Fitness/Wearables categories for the site. In his spare time, he also tests out the latest drones, electric scooters, and smart home gadgets, such as video doorbells. Before his tenure at Tom's Guide, he was the Reviews Editor for Laptop Magazine, a reporter at Fast Company, the Times of Trenton, and, many eons back, an intern at George magazine. He received his undergraduate degree from Boston College, where he worked on the campus newspaper The Heights, and then attended the Columbia University school of Journalism. When he’s not testing out the latest running watch, electric scooter, or skiing or training for a marathon, he’s probably using the latest sous vide machine, smoker, or pizza oven, to the delight — or chagrin — of his family.