Out-of-bounds Write in Lenovo ThinkPad BIOS Lets Privileged User Run SMM Code
CVE-2025-10238 Published on June 10, 2026
During an internal security assessment, a potential out-of-bounds write vulnerability was discovered in the BIOS of some ThinkPad products could allow a privileged local user to execute code in System Management Mode (SMM).
Vulnerability Analysis
CVE-2025-10238 is exploitable with local system access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH
Weakness Type
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2025-10238 has been classified to as a Memory Corruption vulnerability or weakness.
Products Associated with CVE-2025-10238
Want to know whenever a new CVE is published for Lenovo products? stack.watch will email you.
Affected Versions
Lenovo X13 Gen 6 (Type 21RK, 21RL) Laptops (ThinkPad) BIOS:- Before 1.12 is affected.
- Before 1.15 is affected.
- Before BIOS: 1.13 / ECFW: 1.09 is affected.
- Before 1.40 is affected.
- Before 1.11 is affected.
- Before UEFI BIOS V1.22/ECP V1.13 is affected.
- Before 1.15 is affected.
- Before 1.14 is affected.
- Before 1.38 is affected.
- Before 1.13 is affected.
- Before 1.62/1.12 is affected.
- Before 1.10 is affected.
- Before 1.45 is affected.
- Before 1.25 is affected.
- Before 1.37 is affected.
- Before 1.65/1.13 is affected.
- Before 1.37 is affected.
- Before 1.28 is affected.
- Before 1.47 is affected.
- Before 1.38 is affected.
- Before BIOS: 1.40 / ECFW: 1.09 is affected.
- Before BIOS: 1.61 / ECFW: 1.57 is affected.
- Before 1.22 is affected.
- Before 1.51 is affected.
- Before 1.29 is affected.
- Before 1.23 is affected.
- Before 1.41 is affected.
- Before 1.34 is affected.
- Before 1.24 is affected.
- Before 1.28 is affected.
- Before 1.28 is affected.
- Before 1.27 is affected.
- Before 1.37 is affected.
- Before 1.62/1.12 is affected.
- Before and including 1.28 is affected.
- Before 1.69 is affected.
- Before 1.39 is affected.
- Before 1.17 is affected.
- Before 1.21 is affected.
- Before 1.14 is affected.
- Before 1.24 is affected.
- Before 1.27 is affected.
- Before 1.11 is affected.
- Before 1.45/1.25 is affected.
- Before 1.67 is affected.
- Before 1.29 is affected.
- Before 1.51 is affected.
- Before 1.63 is affected.
- Before 1.76 is affected.
- Before 1.48 is affected.
- Before 1.44 is affected.
- Before 1.25 is affected.
- Before 1.31 is affected.
- Before 1.34 is affected.
- Before 1.32 is affected.
- Before 1.27 is affected.
- Before and including 1.36 is affected.
- Before 1.52 is affected.
- Before 1.36 is affected.
- Before 1.38/1.36 is affected.
- Before 1.75 is affected.
- Before 1.24 is affected.
- Before 1.51 is affected.
- Before 1.64 is affected.
- Before 1.36 is affected.
- Before 1.97 is affected.
- Before 1.36 is affected.
- Before 1.83 is affected.
- Before 1.33 is affected.
- Before and including 1.38 is affected.
- Before 1.33 is affected.
- Before 1.97 is affected.
- Before 1.37 is affected.
- Before 1.68 is affected.
- Before and including 1.40 is affected.
- Before 1.21 is affected.
- Before 1.17 is affected.
- Before 1.73 is affected.
- Before 1.21 is affected.
- Before 1.10 is affected.
- Before 1.08 is affected.
- Before 1.69/1.21 is affected.
- Before 1.34 is affected.
- Before 1.37 is affected.
- Before 1.37 is affected.
- Before 1.34 is affected.
- Before 1.57 is affected.
- Before 1.41 is affected.
- Before 2.05 is affected.
- Before 1.66/1.55 is affected.
- Before 1.87/1.32 is affected.
- Before 2.01 is affected.
- Before 1.85/1.26 is affected.
- Before 1.55 is affected.
- Before 1.53 is affected.
- Before 1.45 is affected.
- Before 1.21 is affected.
- Before 1.11 is affected.
- Before 1.17 is affected.
- Before 1.10 is affected.
- Before 1.06 is affected.
- Before 1.14 is affected.
- Before 1.17 is affected.
- Before 1.26 is affected.
- Before 1.18 is affected.
- Before 1.21 is affected.
- Before 1.16 is affected.
- Before 1.18 is affected.
Exploit Probability
EPSS
0.12%
Percentile
2.23%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.