April 20, 2022 at 12:39PM

■■■■■ More than 100 different Lenovo consumer laptop computers, used by millions of people worldwide, contain firmware-level vulnerabilities that give attackers a way to drop malware that can persist on a system even after a hard-drive replacement or operating system re-install.

Two of the vulnerabilities (CVE-2021-3971 and CVE-2021-3972) involve Unified Extensible Firmware Interface (UEFI) drivers that were meant for use only during the manufacturing process but inadvertently ended up being part of the BIOS image that shipped with the computers. The third (CVE-2021-3970) is a memory corruption bug in a function for detecting and logging system errors.