CVE-2026-9046: Insecure Permissions in Lenovo Legion Zone and App Store Leads to Local Arbitrary Code Execution
CVE-2026-9046 describes an insecure permissions vulnerability in Lenovo's Legion Zone and Lenovo App Store Windows applications, distributed exclusively in the Chinese market, which, when installed on a non-system partition, allows a local low-privileged user to execute arbitrary code, leading to high impact on confidentiality, integrity, and availability.
CVE-2026-9046 details a critical insecure permissions vulnerability affecting Lenovo's Legion Zone (versions earlier than 2.0.26) and Lenovo App Store (versions earlier than 9.0.29) Windows applications. These applications are specifically distributed within the Chinese market. The vulnerability arises when either application is installed on a non-system partition, creating a scenario where a local, low-privileged user can exploit improperly configured file or directory permissions. This misconfiguration allows the attacker to place or modify malicious code within the application's installation path. Upon subsequent execution of the legitimate Lenovo application, the embedded malicious code is triggered, leading to arbitrary code execution in the context of the affected application, potentially escalating privileges and compromising system integrity.
Attack Chain
- A local attacker gains access to a Windows system as a low-privileged user.
- The attacker identifies the presence of vulnerable Lenovo applications, Legion Zone or Lenovo App Store, which are installed on a non-system disk partition.
- The attacker enumerates file and directory permissions for the vulnerable application's installation path, identifying insecure permissions that allow write access for low-privileged users.
- Leveraging these insecure permissions, the attacker places a malicious executable, DLL, or script into a critical location within the application's directory structure.
- A legitimate user or the system launches the compromised Lenovo application, which attempts to load or execute its components.
- The Lenovo application inadvertently loads and executes the attacker-placed malicious payload.
- The malicious code achieves arbitrary code execution within the security context of the Lenovo application, potentially leading to privilege escalation or further system compromise.
Impact
Successful exploitation of CVE-2026-9046 grants a local attacker the ability to execute arbitrary code on the affected Windows system. This can lead to a full system compromise, enabling the attacker to steal sensitive data, install persistent backdoors, deploy additional malware such as ransomware, or completely disrupt system operations. While the vulnerability requires local access, the high impact on confidentiality, integrity, and availability, coupled with the potential for privilege escalation, makes this a significant threat to systems within the Chinese market running the affected Lenovo applications.
Recommendation
- Patch CVE-2026-9046 immediately by updating Lenovo Legion Zone to version 2.0.26 or later, and Lenovo App Store to version 9.0.29 or later.
- Monitor process creation events for unusual executables launched from non-standard installation paths, especially within directories related to affected_products.
- Regularly review file and directory permissions on application installation folders, particularly for applications installed on non-system partitions, to identify and remediate insecure configurations (CWE-277).
- Enable comprehensive logging for file system modifications and process execution in application directories to detect potential malicious payload placement or execution.