CVE-2026-40031
DLL Hijacking in MemProcFS Allows Arbitrary Code Execution
Publication date: 2026-04-08
Last updated on: 2026-04-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ufrisk | memprocfs | to 5.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in MemProcFS versions before 5.17 and involves unsafe library-loading patterns. Specifically, it allows DLL and shared-library hijacking through six different attack surfaces. The issue arises because MemProcFS uses bare-name LoadLibraryU and dlopen calls without specifying full paths for certain components like vmmpyc, libMSCompression, and plugin DLLs.
An attacker can exploit this by placing a malicious DLL or shared library in the working directory or by manipulating the LD_LIBRARY_PATH environment variable. When MemProcFS loads these libraries, it may load the malicious ones instead of the intended ones, leading to arbitrary code execution.
How can this vulnerability impact me? :
The vulnerability can lead to arbitrary code execution on the affected system. This means an attacker could run malicious code with the privileges of the user running MemProcFS.
- Potential impacts include unauthorized access to sensitive data.
- Compromise of system integrity and availability.
- Execution of malicious actions such as installing malware or creating backdoors.