Description
Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.
Published: 2026-04-15
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Potential local code execution via unintended DLL search path
Action: Assess Impact
AI Analysis

Impact

A flaw in Yubico libfido2 before version 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 allows an attacker to influence the DLL search path used by these authentication libraries. The libraries accept a search path that can be manipulated so that a malicious DLL placed in that location could be loaded and executed with the privileges of the running process. This vulnerability is classified as CWE‑426, which covers DLL search order hijacking.

Affected Systems

Affected by Yubico, the following packages are impacted when used below the specified versions: libfido2 (versions < 1.17.0), python-fido2 (versions < 2.2.0), and yubikey-manager (versions < 5.9.1). All newer releases contain the fix and are not affected.

Risk and Exploitability

The CVSS score of 2.9 indicates a low overall severity. The exploit probability score is not available, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no widespread exploitation is currently known. The likely attack vector is local or user‑initiated; an attacker would need to supply a crafted DLL path or otherwise influence the application’s environment for the malicious DLL to be loaded. If executed, the code runs with the privileges of the calling process, which could lead to local code execution or privilege escalation if the process runs as a privileged user.

Generated by OpenCVE AI on April 16, 2026 at 09:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libfido2 to version 1.17.0 or newer, python-fido2 to 2.2.0 or newer, and yubikey-manager to 5.9.1 or newer.
  • If a patch is not immediately available, remove untrusted directories from the DLL search path or configure the application to use a safe, predefined DLL directory.
  • Avoid placing arbitrary DLLs in directories that the application searches for; ensure only trusted code is present in those paths.

Generated by OpenCVE AI on April 16, 2026 at 09:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Title Unintended DLL Search Path in Yubico Authentication Libraries
First Time appeared Yubico
Yubico libfido2
Yubico python-fido2
Yubico yubikey-manager
Vendors & Products Yubico
Yubico libfido2
Yubico python-fido2
Yubico yubikey-manager

Wed, 15 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.
Weaknesses CWE-426
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Yubico Libfido2 Python-fido2 Yubikey-manager
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T13:18:13.069Z

Reserved: 2026-04-15T23:11:52.721Z

Link: CVE-2026-40947

cve-icon Vulnrichment

Updated: 2026-04-16T13:18:09.606Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T00:16:29.223

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses