{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-40947", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-15T23:11:52.721Z", "datePublished": "2026-04-15T23:13:38.977Z", "dateUpdated": "2026-04-16T13:18:13.069Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "libfido2", "vendor": "Yubico", "versions": [{"lessThan": "1.17.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "python-fido2", "vendor": "Yubico", "versions": [{"lessThan": "2.2.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "yubikey-manager", "vendor": "Yubico", "versions": [{"lessThan": "5.9.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "description": "CWE-426 Untrusted Search Path", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-15T23:21:38.944Z"}, "references": [{"url": "https://www.yubico.com/support/security-advisories/ysa-2026-01/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:18:06.500345Z", "id": "CVE-2026-40947", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:18:13.069Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40947", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T13:18:06.500345Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:18:09.606Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Yubico", "product": "libfido2", "versions": [{"status": "affected", "version": "0", "lessThan": "1.17.0", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}, {"vendor": "Yubico", "product": "python-fido2", "versions": [{"status": "affected", "version": "0", "lessThan": "2.2.0", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}, {"vendor": "Yubico", "product": "yubikey-manager", "versions": [{"status": "affected", "version": "0", "lessThan": "5.9.1", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.yubico.com/support/security-advisories/ysa-2026-01/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426 Untrusted Search Path"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-15T23:21:38.944Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40947", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:18:13.069Z", "dateReserved": "2026-04-15T23:11:52.721Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-15T23:13:38.977Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path."}], "id": "CVE-2026-40947", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-16T00:16:29.223", "references": [{"source": "cve@mitre.org", "url": "https://www.yubico.com/support/security-advisories/ysa-2026-01/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "libfido2", "source": "cna", "vendor": "Yubico"}, "product": "libfido2", "vendor": "yubico"}, {"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "python-fido2", "source": "cna", "vendor": "Yubico"}, "product": "python-fido2", "vendor": "yubico"}, {"configurations": [{"platform": ["Windows"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.9.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "yubikey-manager", "vendor": "yubico"}], "analysis": {"en": {"generated_at": "2026-04-16T09:04:30.731870+00:00", "value": {"mitigation_remediation": ["Update libfido2 to version\u202f1.17.0 or newer, python-fido2 to 2.2.0 or newer, and yubikey-manager to 5.9.1 or newer.", "If a patch is not immediately available, remove untrusted directories from the DLL search path or configure the application to use a safe, predefined DLL directory.", "Avoid placing arbitrary DLLs in directories that the application searches for; ensure only trusted code is present in those paths."], "summary": {"action": "Assess Impact", "impact": "Potential local code execution via unintended DLL search path"}, "threat_synthesis": {"affected_systems": "Affected by Yubico, the following packages are impacted when used below the specified versions: libfido2 (versions <\u202f1.17.0), python-fido2 (versions <\u202f2.2.0), and yubikey-manager (versions <\u202f5.9.1). All newer releases contain the fix and are not affected.", "description_and_impact": "A flaw in Yubico libfido2 before version\u202f1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 allows an attacker to influence the DLL search path used by these authentication libraries. The libraries accept a search path that can be manipulated so that a malicious DLL placed in that location could be loaded and executed with the privileges of the running process. This vulnerability is classified as CWE\u2011426, which covers DLL search order hijacking.", "risk_and_exploitability": "The CVSS score of 2.9 indicates a low overall severity. The exploit probability score is not available, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no widespread exploitation is currently known. The likely attack vector is local or user\u2011initiated; an attacker would need to supply a crafted DLL path or otherwise influence the application\u2019s environment for the malicious DLL to be loaded. If executed, the code runs with the privileges of the calling process, which could lead to local code execution or privilege escalation if the process runs as a privileged user."}}}}, "created": "2026-04-16T09:12:11.310487+00:00", "title": "Unintended DLL Search Path in Yubico Authentication Libraries", "updated": "2026-04-16T09:15:30.977271+00:00", "vendors": ["yubico", "yubico$PRODUCT$libfido2", "yubico$PRODUCT$python-fido2", "yubico$PRODUCT$yubikey-manager"]}