CVE-2026-40947
Received Received - Intake
Unintended DLL Search Path in Yubico libfido2 and Tools

Publication date: 2026-04-16

Last updated on: 2026-04-16

Assigner: MITRE

Description
Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40947
EUVD
EUVD-2026-23135
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
yubico libfido2 to 1.17.0 (exc)
yubico python_fido2 to 2.2.0 (exc)
yubico yubikey_manager to 5.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects certain Yubico open source software projects on Windows, specifically libfido2 before version 1.17.0, python-fido2 before 2.2.0, and YubiKey Manager before 5.9.1. The issue is an unintended DLL search path, where the software loads DLLs without restricting the search to secure system directories.

Because of this, an attacker who can place a malicious DLL in the directory where the affected software or Python is installed could execute arbitrary code. However, exploiting this requires the attacker to have Administrator-level access if the software is installed in protected directories.

The root cause was that the software used unsafe DLL loading functions that did not limit the DLL search path to the secure System32 directory. This was fixed by updating the code to restrict DLL loading to the System32 directory only.

Impact Analysis

If you are using affected versions of libfido2, python-fido2, or YubiKey Manager on Windows, this vulnerability could allow an attacker with Administrator-level access to execute malicious code by placing a malicious DLL in the software's installation directory.

This could lead to unauthorized code execution within the context of the affected software, potentially compromising the system or the security functions provided by these libraries.

However, if the software is installed in directories protected by Administrator permissions, the risk is reduced since the attacker must already have high-level access to exploit this vulnerability.

Detection Guidance

To determine if your system is affected by this vulnerability, you can check the installed versions of the affected software using the following commands:

  • For libfido2: `fido2-token -V`
  • For python-fido2: `pip show fido2` or `python3.x -m pip show fido2` if multiple Python versions are installed
  • For YubiKey Manager: `ykman -v`
Mitigation Strategies

The immediate mitigation step is to update the affected software to the latest versions where the vulnerability has been fixed:

  • Update libfido2 to version 1.17.0 or later.
  • Update python-fido2 to version 2.2.0 or later.
  • Update YubiKey Manager to version 5.9.1 or later.

Additionally, ensure that the software is installed in directories protected by Administrator permissions to reduce the risk of exploitation.

Following Microsoft's guidance on secure installation locations is also recommended to further mitigate the risk.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart