Home

Description

A potential insufficient access control vulnerability was reported in the Lenovo Dispatcher 3.0 and Dispatcher 3.1 drivers used by some Lenovo consumer notebooks that could allow an authenticated local user to execute code with elevated privileges. The Lenovo Dispatcher 3.2 driver is not affected. This vulnerability does not affect systems when the Windows feature Core Isolation Memory Integrity is enabled. Lenovo systems preloaded with Windows 11 have this feature enabled by default.

PUBLISHED Reserved 2025-07-22 | Published 2025-09-11 | Updated 2025-09-22 | Assigner lenovo




HIGH: 7.3CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.0CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-782: Exposed IOCTL with Insufficient Access Control

Product status

Default status
unaffected

Any version before 3.1.0.41
affected

Default status
unaffected

Any version before 3.1.0.41
affected

Credits

Lenovo thanks YiShun Zeng and Luis Casvella of Quarkslab for independently reporting this issue. finder

References

support.lenovo.com/us/en/product_security/LEN-200860

cve.org (CVE-2025-8061)

nvd.nist.gov (CVE-2025-8061)

Download JSON