CVE-2026-3091 Overview
An uncontrolled search path element vulnerability has been identified in Synology Presto Client before version 2.1.3-0672. This security flaw allows local users to read or write arbitrary files during the installation process by placing a malicious DLL in advance in the same directory as the installer. This type of vulnerability, also known as DLL hijacking or DLL preloading, exploits the Windows DLL search order to load malicious code with the privileges of the installer.
Critical Impact
Local attackers can leverage this vulnerability to execute arbitrary code with elevated privileges during Synology Presto Client installation, potentially leading to full system compromise.
Affected Products
- Synology Presto Client versions prior to 2.1.3-0672
Discovery Timeline
- 2026-02-24 - CVE CVE-2026-3091 published to NVD
- 2026-02-24 - Last updated in NVD database
Technical Details for CVE-2026-3091
Vulnerability Analysis
This vulnerability falls under CWE-427 (Uncontrolled Search Path Element), a common weakness in Windows applications that fail to properly specify the search path for loading dynamic-link libraries. When the Synology Presto Client installer executes, it attempts to load certain DLLs without specifying a fully qualified path. Windows then follows its default DLL search order, which includes the directory from which the application loaded.
The local attack vector requires the attacker to have prior access to the system to place a malicious DLL in the same directory as the installer. While this requires local access and user interaction (the victim must run the installer), successful exploitation can result in complete compromise of confidentiality, integrity, and availability on the affected system.
Root Cause
The root cause lies in the installer's failure to implement secure DLL loading practices. When loading dependencies, the application does not use absolute paths or implement DLL search order hardening techniques such as SetDllDirectory("") or the LOAD_LIBRARY_SEARCH_SYSTEM32 flag. This allows an attacker-controlled DLL to be loaded from an untrusted location before the legitimate system DLL.
Attack Vector
The attack scenario proceeds as follows:
- The attacker identifies which DLLs the Synology Presto Client installer attempts to load
- The attacker creates a malicious DLL with the same name as a legitimately required library
- The malicious DLL is placed in a location the user is likely to download the installer to (such as the Downloads folder)
- When the victim downloads the installer to that location and executes it, the malicious DLL is loaded instead of the legitimate system library
- The malicious code executes with the same privileges as the installer, potentially with elevated rights if the user accepted a UAC prompt
Since installers often request and run with elevated privileges, successful exploitation typically results in code execution with administrative rights.
Detection Methods for CVE-2026-3091
Indicators of Compromise
- Presence of unexpected DLL files in common download directories (Downloads, Desktop, temp folders)
- DLL files in user-writable directories that share names with common Windows system libraries
- Unusual process behavior during Synology Presto Client installation
- Suspicious DLL load events from non-standard paths during installation processes
Detection Strategies
- Monitor for DLL load events where the loaded module path does not match expected system directories
- Implement application whitelisting to prevent unauthorized DLLs from executing
- Use endpoint detection solutions to identify DLL hijacking attempts during software installation
- Audit file creation events in common installer locations for DLL files
Monitoring Recommendations
- Enable Windows Event Logging for process creation and module loading events
- Configure endpoint security solutions to alert on DLL loads from user-writable directories
- Implement file integrity monitoring on directories commonly used for software downloads
- Review installation logs for anomalous library loading behavior
How to Mitigate CVE-2026-3091
Immediate Actions Required
- Upgrade Synology Presto Client to version 2.1.3-0672 or later immediately
- Verify the integrity of any existing Synology Presto Client installations
- Clear download directories of any suspicious DLL files before running installers
- Run installers from a clean, dedicated directory rather than common download folders
Patch Information
Synology has addressed this vulnerability in Presto Client version 2.1.3-0672. Organizations should update to this version or later as soon as possible. The security advisory is available at the Synology Security Advisory SA-26-02 page.
Workarounds
- Move the installer to a clean directory (such as C:\Temp\Clean\) before execution to avoid loading rogue DLLs
- Verify the digital signature of the installer before execution
- Run the installer from a directory with restricted write permissions
- Use application control policies to prevent unauthorized DLL execution
- Consider using a dedicated installation account with limited access to minimize attack surface
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
