CVE-2026-40947
Unintended DLL Search Path in Yubico libfido2 and Tools
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yubico | libfido2 | to 1.17.0 (exc) |
| yubico | python_fido2 | to 2.2.0 (exc) |
| yubico | yubikey_manager | to 5.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects certain Yubico open source software projects on Windows, specifically libfido2 before version 1.17.0, python-fido2 before 2.2.0, and YubiKey Manager before 5.9.1. The issue is an unintended DLL search path, where the software loads DLLs without restricting the search to secure system directories.
Because of this, an attacker who can place a malicious DLL in the directory where the affected software or Python is installed could execute arbitrary code. However, exploiting this requires the attacker to have Administrator-level access if the software is installed in protected directories.
The root cause was that the software used unsafe DLL loading functions that did not limit the DLL search path to the secure System32 directory. This was fixed by updating the code to restrict DLL loading to the System32 directory only.
How can this vulnerability impact me? :
If you are using affected versions of libfido2, python-fido2, or YubiKey Manager on Windows, this vulnerability could allow an attacker with Administrator-level access to execute malicious code by placing a malicious DLL in the software's installation directory.
This could lead to unauthorized code execution within the context of the affected software, potentially compromising the system or the security functions provided by these libraries.
However, if the software is installed in directories protected by Administrator permissions, the risk is reduced since the attacker must already have high-level access to exploit this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To determine if your system is affected by this vulnerability, you can check the installed versions of the affected software using the following commands:
- For libfido2: `fido2-token -V`
- For python-fido2: `pip show fido2` or `python3.x -m pip show fido2` if multiple Python versions are installed
- For YubiKey Manager: `ykman -v`
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the affected software to the latest versions where the vulnerability has been fixed:
- Update libfido2 to version 1.17.0 or later.
- Update python-fido2 to version 2.2.0 or later.
- Update YubiKey Manager to version 5.9.1 or later.
Additionally, ensure that the software is installed in directories protected by Administrator permissions to reduce the risk of exploitation.
Following Microsoft's guidance on secure installation locations is also recommended to further mitigate the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.