CVE-2026-0421 Overview
A BIOS vulnerability affects multiple Lenovo ThinkPad models, allowing Secure Boot to be silently disabled even when the BIOS setup menu reports it as enabled. The flaw exists in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads. The issue applies only to systems where Secure Boot is configured in User Mode. The vulnerability stems from an unchecked return value [CWE-252] during firmware initialization. An attacker with high local privileges can leverage this gap to load unsigned bootloaders and pre-boot malware that survive operating system reinstalls.
Critical Impact
Secure Boot can be bypassed on affected ThinkPads while the BIOS UI continues to report Secure Boot as active, enabling persistent bootkit installation.
Affected Products
- Lenovo ThinkPad L13 Gen 6 and L13 Gen 6 2-in-1
- Lenovo ThinkPad L14 Gen 6
- Lenovo ThinkPad L16 Gen 2
Discovery Timeline
- 2026-01-14 - CVE CVE-2026-0421 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-0421
Vulnerability Analysis
The vulnerability is a Secure Boot Bypass caused by an unchecked return value [CWE-252] in the affected ThinkPad BIOS. When Secure Boot is configured in User Mode, the firmware fails to validate the result of an internal status check before continuing the boot flow. As a result, Secure Boot enforcement is silently skipped while the BIOS setup menu continues to display the feature as On. This breaks the platform's chain of trust between firmware and the operating system loader. An attacker who achieves the necessary local privileges can install an unsigned UEFI bootloader, kernel driver, or bootkit that the platform should otherwise reject. Because the bypass occurs below the operating system, malicious code persists across OS reinstallation and is invisible to most endpoint controls.
Root Cause
The BIOS code path responsible for enforcing Secure Boot does not handle an error condition returned by a lower-level firmware routine. The missing check causes the platform to proceed as if Secure Boot validation succeeded.
Attack Vector
Exploitation requires local access and high privileges, along with user interaction such as a reboot. An attacker first stages a malicious bootloader on the EFI System Partition, then triggers a reboot. The affected BIOS loads the unsigned binary without verification while still reporting Secure Boot as enabled. Refer to the Lenovo Security Advisory LEN-210688 for technical details.
Detection Methods for CVE-2026-0421
Indicators of Compromise
- Unsigned or unexpected .efi binaries present in the EFI System Partition, particularly under \EFI\BOOT\ or vendor directories.
- BIOS setup screen reporting Secure Boot as On while operating system queries (such as Confirm-SecureBootUEFI on Windows or mokutil --sb-state on Linux) return inconsistent or disabled states.
- Modifications to BIOS variables related to Secure Boot mode without a corresponding administrative change record.
Detection Strategies
- Compare Secure Boot status reported by the BIOS against the value reported by the operating system on every boot, and alert on mismatches.
- Inventory and hash EFI binaries on managed endpoints, then flag deviations from a known-good baseline.
- Validate installed BIOS versions against the fixed releases listed in Lenovo advisory LEN-210688.
Monitoring Recommendations
- Collect UEFI and Secure Boot telemetry from managed ThinkPads and forward it to a central analytics platform for correlation.
- Monitor for unexpected reboots, BIOS configuration changes, and writes to the EFI System Partition.
- Track BIOS update compliance on the affected ThinkPad models as a recurring security metric.
How to Mitigate CVE-2026-0421
Immediate Actions Required
- Identify all L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads in the environment and prioritize them for BIOS updates.
- Apply the fixed BIOS firmware published in Lenovo Security Advisory LEN-210688.
- Restrict local administrative access on affected systems until firmware updates are deployed.
- Verify Secure Boot status from the operating system after patching, rather than relying solely on the BIOS setup display.
Patch Information
Lenovo has published remediation guidance and fixed BIOS versions for the affected ThinkPad models in advisory LEN-210688. Administrators should deploy the updated firmware through Lenovo System Update, Lenovo Commercial Vantage, or enterprise software distribution tooling that supports BIOS provisioning.
Workarounds
- Switch affected systems from Secure Boot User Mode to a configuration that is not impacted by the issue, where operationally feasible, until the BIOS update is applied.
- Enable BIOS administrator passwords and disable boot from removable media to reduce the risk of local exploitation.
- Use full-disk encryption with pre-boot authentication to limit an attacker's ability to stage malicious EFI binaries offline.
# Verify Secure Boot status from the operating system
# Windows (PowerShell, run as Administrator)
Confirm-SecureBootUEFI
# Linux
mokutil --sb-state
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
