{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/legion-zone--2.0.26/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-9046"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Legion Zone (\u003c 2.0.26)","Lenovo App Store (\u003c 9.0.29)"],"_cs_severities":["high"],"_cs_tags":["insecure-permissions","local-privilege-escalation","windows","arbitrary-code-execution"],"_cs_type":"advisory","_cs_vendors":["Lenovo"],"content_html":"\u003cp\u003eCVE-2026-9046 details a critical insecure permissions vulnerability affecting Lenovo's Legion Zone (versions earlier than 2.0.26) and Lenovo App Store (versions earlier than 9.0.29) Windows applications. These applications are specifically distributed within the Chinese market. The vulnerability arises when either application is installed on a non-system partition, creating a scenario where a local, low-privileged user can exploit improperly configured file or directory permissions. This misconfiguration allows the attacker to place or modify malicious code within the application's installation path. Upon subsequent execution of the legitimate Lenovo application, the embedded malicious code is triggered, leading to arbitrary code execution in the context of the affected application, potentially escalating privileges and compromising system integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA local attacker gains access to a Windows system as a low-privileged user.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the presence of vulnerable Lenovo applications, Legion Zone or Lenovo App Store, which are installed on a non-system disk partition.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates file and directory permissions for the vulnerable application's installation path, identifying insecure permissions that allow write access for low-privileged users.\u003c/li\u003e\n\u003cli\u003eLeveraging these insecure permissions, the attacker places a malicious executable, DLL, or script into a critical location within the application's directory structure.\u003c/li\u003e\n\u003cli\u003eA legitimate user or the system launches the compromised Lenovo application, which attempts to load or execute its components.\u003c/li\u003e\n\u003cli\u003eThe Lenovo application inadvertently loads and executes the attacker-placed malicious payload.\u003c/li\u003e\n\u003cli\u003eThe malicious code achieves arbitrary code execution within the security context of the Lenovo application, potentially leading to privilege escalation or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9046 grants a local attacker the ability to execute arbitrary code on the affected Windows system. This can lead to a full system compromise, enabling the attacker to steal sensitive data, install persistent backdoors, deploy additional malware such as ransomware, or completely disrupt system operations. While the vulnerability requires local access, the high impact on confidentiality, integrity, and availability, coupled with the potential for privilege escalation, makes this a significant threat to systems within the Chinese market running the affected Lenovo applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-9046 immediately by updating Lenovo Legion Zone to version 2.0.26 or later, and Lenovo App Store to version 9.0.29 or later.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual executables launched from non-standard installation paths, especially within directories related to affected_products.\u003c/li\u003e\n\u003cli\u003eRegularly review file and directory permissions on application installation folders, particularly for applications installed on non-system partitions, to identify and remediate insecure configurations (CWE-277).\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging for file system modifications and process execution in application directories to detect potential malicious payload placement or execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T17:23:00Z","date_published":"2026-07-16T17:23:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-9046-lenovo-insecure-permissions/","summary":"CVE-2026-9046 describes an insecure permissions vulnerability in Lenovo's Legion Zone and Lenovo App Store Windows applications, distributed exclusively in the Chinese market, which, when installed on a non-system partition, allows a local low-privileged user to execute arbitrary code, leading to high impact on confidentiality, integrity, and availability.","title":"CVE-2026-9046: Insecure Permissions in Lenovo Legion Zone and App Store Leads to Local Arbitrary Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-9046-lenovo-insecure-permissions/"}],"language":"en","title":"CraftedSignal Threat Feed - Legion Zone (\u003c 2.0.26)","version":"https://jsonfeed.org/version/1.1"}