CVE-2026-0827

• The LdeApi.Server.exe process attempts to write MP27AM7W_estimation.json to C:\ProgramData\Lenovo\LDE\SYSTEM without impersonation. This directory does not exist by default. Since C:\ProgramData\ allows standard users to create subdirectories, a low-privileged user can create this path and convert it into an NTFS junction pointing to an arbitrary location. The service follows the junction and writes the file with SYSTEM privileges to the attacker-controlled destination.

• https://support.lenovo.com/us/en/product_security/LEN-210693

  

Credits

• Google Project Zero
• James Forshaw