CVE-2026-36574
Deferred Deferred - Pending Action
DLL Hijacking in CactusViewer v2.3.0

Publication date: 2026-06-03

Last updated on: 2026-06-08

Assigner: MITRE

Description
A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary code via a crafted DLL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-08
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-36574
EUVD
EUVD-2026-34098
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wassimulator cactusviewer 2.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the DLL hijacking vulnerability in CactusViewer v2.3.0 on compliance with common standards and regulations such as GDPR or HIPAA.

However, since the vulnerability allows arbitrary code execution with the privileges of the user running the application, it could potentially lead to unauthorized access or manipulation of sensitive data, which may indirectly affect compliance with data protection regulations.

No explicit references to compliance implications or regulatory impact are mentioned in the available resources.

Executive Summary

CVE-2026-36574 is a DLL hijacking vulnerability in CactusViewer v2.3.0, a Windows application. The vulnerability allows an attacker to escalate privileges and execute arbitrary code by placing a malicious DLL in the same directory as the CactusViewer executable.

When CactusViewer launches, it searches for several DLL files (such as D3DCOMPILER_47.dll, d3d11.dll, dxgi.dll, CRYPTSP.dll, d3d10warp.dll, and Wldp.dll) in its own directory before checking the Windows system directory. Because these DLLs are not part of the Windows KnownDLLs registry, Windows does not enforce loading them from the system directory, allowing the malicious DLL to be loaded instead.

This vulnerability is classified under CWE-427 (Uncontrolled Search Path Element) and requires user interaction to exploit (launching the executable). The attacker can achieve arbitrary code execution in the context of the user running the application.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary code with the privileges of the user running CactusViewer. This means the attacker could potentially escalate privileges, install malware, steal data, or perform other malicious actions on the affected system.

The attack requires placing a malicious DLL in the application directory and having the user launch the application, making social engineering or physical access possible attack vectors.

Because the vulnerability allows code execution, it can compromise system integrity, confidentiality, and availability depending on the attacker's goals and the user's privileges.

Detection Guidance

This vulnerability can be detected by checking if the CactusViewer v2.3.0 application directory contains any unexpected or suspicious DLL files that could be malicious. Since the vulnerability involves DLL hijacking, an attacker places a malicious DLL in the same directory as the executable.

You can manually inspect the directory where CactusViewer.exe is located for DLL files named like D3DCOMPILER_47.dll, d3d11.dll, dxgi.dll, CRYPTSP.dll, d3d10warp.dll, or Wldp.dll that are not from the official Windows system directory.

Suggested commands to detect suspicious DLLs in the application directory on Windows include:

  • Use PowerShell to list DLL files in the application directory: Get-ChildItem -Path "C:\Path\To\CactusViewer" -Filter *.dll
  • Check the digital signature of DLL files to verify authenticity: Get-AuthenticodeSignature -FilePath "C:\Path\To\CactusViewer\suspicious.dll"
  • Use Process Monitor (ProcMon) from Sysinternals to monitor DLL loading by CactusViewer.exe and detect if it loads DLLs from unexpected locations.

Since the vulnerability requires user interaction (launching the executable), monitoring process execution and DLL load paths can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include preventing the application from loading DLLs from untrusted directories by restricting the DLL search path.

  • Use absolute paths for loading DLLs within the application to avoid searching in the application directory.
  • Modify the application to call SetDllDirectory("") at startup to remove the current directory from the DLL search path.
  • Use SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32) to restrict DLL loading to the Windows System32 directory.

Additionally, ensure that no untrusted DLL files exist in the application directory and educate users not to run the vulnerable application until a patch is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36574. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart