Description
The installers for multiple products provided by PIONEER CORPORATION contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privileges of the running installer.
Published: 2026-01-08
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via installer DLL search path flaw
Action: Patch Now
AI Analysis

Impact

Installers supplied by PIONEER CORPORATION contain a DLL search path issue that allows insecure loading of Dynamic Link Libraries. This flaw can cause the installer to execute an attacker‑supplied DLL with the same privileges as the installer process, delivering arbitrary code execution and potentially elevating the attacker’s privileges on the target system. The vulnerability is categorized as CWE‑427, a path traversal and DLL hijacking weakness.

Affected Systems

The affected products are all Pioneer Corporation audio devices, including the Stellanova APS‑S301 series, Stellanova Limited APS‑S202J‑LM, various Stellanova Lite models (APS‑S201JGL, APS‑S201JGR, APS‑S201JR, APS‑S201JS), and USB DAC Amplifier models (APS‑DA101JGL, APS‑DA101JGR, APS‑DA101JR, APS‑DA101JS). No specific firmware or software version details are provided in the current advisory.

Risk and Exploitability

The vulnerability scores a high CVSS of 8.5, indicating substantial impact if exploited. The EPSS score is below 1%, suggesting that exploitation attempts are currently uncommon, and the issue is not listed in CISA’s KEV catalog. Nevertheless, since the attack requires only the ability to run the vulnerable installer, an individual with local access or the ability to supply malicious DLLs can trigger the flaw. The mitigation is most effective by replacing the installer with a patched version or preventing the installer from loading arbitrary DLLs through environment controls.

Generated by OpenCVE AI on April 18, 2026 at 07:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest PIONEER installers that address the DLL search path vulnerability from the official support page and replace any older installer binaries.
  • Run the installer from a secured, non‑trusted directory and avoid executing it in a folder that might contain malicious DLLs; consider temporarily clearing or limiting the system DLL search paths during installation.
  • Restrict system environment variables that influence DLL loading (e.g., PATH, SystemRoot) to known safe directories while the installer is running to reduce the risk of DLL hijacking.

Generated by OpenCVE AI on April 18, 2026 at 07:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Title Insecure DLL Search Path in Pioneer Installers Allows Arbitrary Code Execution

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Pioneer
Pioneer stellanova Lite Aps-s201jgl
Pioneer stellanova Lite Aps-s201jgr
Pioneer stellanova Lite Aps-s201jr
Pioneer stellanova Lite Aps-s201js
Pioneer stelllanova Aps-s301 Series
Pioneer stelllanova Limited Aps-s202j-lm
Pioneer usb Dac Amplifier Aps-da101jgl
Pioneer usb Dac Amplifier Aps-da101jgr
Pioneer usb Dac Amplifier Aps-da101jr
Pioneer usb Dac Amplifier Aps-da101js
Vendors & Products Pioneer
Pioneer stellanova Lite Aps-s201jgl
Pioneer stellanova Lite Aps-s201jgr
Pioneer stellanova Lite Aps-s201jr
Pioneer stellanova Lite Aps-s201js
Pioneer stelllanova Aps-s301 Series
Pioneer stelllanova Limited Aps-s202j-lm
Pioneer usb Dac Amplifier Aps-da101jgl
Pioneer usb Dac Amplifier Aps-da101jgr
Pioneer usb Dac Amplifier Aps-da101jr
Pioneer usb Dac Amplifier Aps-da101js

Thu, 08 Jan 2026 04:15:00 +0000

Type Values Removed Values Added
Description The installers for multiple products provided by PIONEER CORPORATION contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privileges of the running installer.
Weaknesses CWE-427
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pioneer Stellanova Lite Aps-s201jgl Stellanova Lite Aps-s201jgr Stellanova Lite Aps-s201jr Stellanova Lite Aps-s201js Stelllanova Aps-s301 Series Stelllanova Limited Aps-s202j-lm Usb Dac Amplifier Aps-da101jgl Usb Dac Amplifier Aps-da101jgr Usb Dac Amplifier Aps-da101jr Usb Dac Amplifier Aps-da101js
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-01-22T07:03:11.927Z

Reserved: 2025-12-25T00:23:40.578Z

Link: CVE-2026-21427

cve-icon Vulnrichment

Updated: 2026-01-08T15:52:53.638Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T04:15:56.690

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-21427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses