Description
The installer of M-Track Duo HD version 1.0.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with administrator privileges.
Published: 2026-02-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Arbitrary Code Execution with Administrator Privileges
Action: Immediate Patch
AI Analysis

Impact

The installer for M‑Audio M‑Track Duo HD version 1.0.0 contains an insecure DLL search path that allows an attacker to supply a malicious DLL that will be loaded during installation. If the installer runs with elevated privileges, this flaw permits execution of arbitrary code with full administrative rights. The vulnerability is classified as CWE-427, indicating path manipulation that leads to the uninhibited loading of untrusted libraries.

Affected Systems

Only the M‑Audio M‑Track Duo HD handheld device is affected, specifically the installer packaged in version 1.0.0. No other product variations or firmware versions are listed as impacted.

Risk and Exploitability

The CVSS base score is 7.1, indicating moderate to high severity. The EPSS probability is less than 1 percent, implying that exploitation is currently uncommon or unlikely. The vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is local; an attacker must be able to place a crafted DLL in the installer’s search path or otherwise persuade the installer to load an untrusted library. Because the installer elevates to administrative privileges, successful exploitation results in full control of the host machine.

Generated by OpenCVE AI on April 17, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest firmware or installer from M‑Audio that removes the insecure DLL search path handling.
  • Before running the installer, verify that the working directory contains no unknown DLLs and that the system PATH environment variable does not include untrusted paths.
  • If a vendor update is not yet available, run the installer from a dedicated, isolated directory and consider using application whitelisting or disabling DLL search path manipulation via Group Policy to prevent untrusted libraries from being loaded.

Generated by OpenCVE AI on April 17, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Insecure DLL Search Path in M‑Track Duo HD Installer Allows Privilege Escalation via Arbitrary Code Execution

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared M-audio
M-audio m-track Duo Hd
Vendors & Products M-audio
M-audio m-track Duo Hd

Thu, 12 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Description The installer of M-Track Duo HD version 1.0.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with administrator privileges.
Weaknesses CWE-427
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

M-audio M-track Duo Hd
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-12T15:07:19.491Z

Reserved: 2026-02-05T00:21:20.346Z

Link: CVE-2026-25676

cve-icon Vulnrichment

Updated: 2026-02-12T15:07:11.040Z

cve-icon NVD

Status : Deferred

Published: 2026-02-12T05:17:04.020

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:26Z

Weaknesses