CVE-2026-32679 Overview
CVE-2026-32679 is a DLL search order hijacking vulnerability affecting the Windows installers for LiveOn Meet Client and Canon Network Camera Plugin. The affected installers, Downloader5Installer.exe, Downloader5InstallerForAdmin.exe, CanonNWCamPlugin.exe, and CanonNWCamPluginForAdmin.exe, insecurely load Dynamic Link Libraries (DLLs) from their working directory. An attacker who places a malicious DLL alongside the installer can execute arbitrary code with the privileges of the user running the installer. The flaw is classified under CWE-427 (Uncontrolled Search Path Element).
Critical Impact
Local code execution with the privileges of the user invoking the installer. Administrator-targeted installers expand the blast radius if exploited during privileged installation.
Affected Products
- LiveOn Meet Client for Windows installers (Downloader5Installer.exe, Downloader5InstallerForAdmin.exe)
- Canon Network Camera Plugin installers (CanonNWCamPlugin.exe, CanonNWCamPluginForAdmin.exe)
- Windows endpoints where these installers are executed from user-writable directories such as Downloads
Discovery Timeline
- 2026-04-23 - CVE-2026-32679 published to NVD
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-32679
Vulnerability Analysis
The vulnerability stems from insecure DLL loading behavior in four Windows installer executables shipped by LiveOn and Canon. When the installers launch, they resolve dependent DLLs through the standard Windows search order, which includes the current working directory. Attackers exploit this by planting a crafted DLL with a matching name in the same directory as the installer. The installer loads the attacker-controlled DLL and executes its DllMain entry point under the user context that started the installer.
Because browsers commonly save installer binaries to the Downloads folder, the attack surface is large. Any pre-positioned DLL in that directory will be picked up before the legitimate system DLL. When a user runs Downloader5InstallerForAdmin.exe or CanonNWCamPluginForAdmin.exe with elevated rights, the planted code inherits those rights and can persist on the system, modify protected directories, or install additional payloads.
Root Cause
The installers do not specify a fully qualified path when loading their dependencies and do not call SetDefaultDllDirectories or SetDllDirectory to constrain the search path. This produces an Uncontrolled Search Path Element condition where the loader resolves library names against the executable's directory before secure system locations.
Attack Vector
Exploitation requires local access and user interaction. An attacker delivers a malicious DLL to a directory that already contains, or will receive, one of the affected installer binaries. Common delivery techniques include archive bundling, where a ZIP file packages the legitimate installer next to a sibling DLL, and drive-by downloads that drop a DLL into the Downloads folder before the user runs an installer fetched separately. When the victim launches the installer, the loader picks up the attacker DLL and runs its code in-process. Refer to JVN #45563482 and the LiveOn Security Report 2026 for vendor technical details.
Detection Methods for CVE-2026-32679
Indicators of Compromise
- Unsigned or unexpected DLL files sharing a directory with Downloader5Installer.exe, Downloader5InstallerForAdmin.exe, CanonNWCamPlugin.exe, or CanonNWCamPluginForAdmin.exe
- Installer processes loading modules from user-writable paths such as %USERPROFILE%\Downloads instead of %SystemRoot%\System32
- Child processes spawned by the installers that do not match the vendor's expected installation workflow
Detection Strategies
- Hunt in EDR telemetry for ImageLoad events where the parent process is one of the four affected installers and the loaded module path is outside trusted system directories.
- Alert on the affected installer executables writing or executing files immediately after a non-system DLL load event in the same directory.
- Correlate Windows Sysmon Event ID 7 (Image Loaded) with Event ID 1 (Process Create) to flag installers loading unsigned DLLs from Downloads.
Monitoring Recommendations
- Enable module load auditing on endpoints and forward Sysmon and Windows Defender Application Control logs to a central SIEM for retrospective hunting.
- Track signature status of every DLL loaded by installer binaries and alert when an unsigned module is mapped into a vendor-signed installer.
- Monitor user Downloads directories for the appearance of DLLs whose names match known Windows system libraries.
How to Mitigate CVE-2026-32679
Immediate Actions Required
- Apply the fixed installer versions published by LiveOn and Canon as referenced in JVN #45563482.
- Instruct users to move installer executables into an empty, dedicated directory before running them, eliminating untrusted sibling DLLs.
- Block execution of unsigned DLLs loaded from user profile paths using Windows Defender Application Control or AppLocker policies.
Patch Information
LiveOn and Canon have published advisories through JVN. Administrators should download the latest installer builds directly from the vendor portals referenced in the LiveOn Security Report 2026 and the JVN advisory, and redistribute them through managed software deployment channels rather than allowing end-user downloads.
Workarounds
- Run affected installers only from a clean directory that contains no other files.
- Restrict standard users from executing installers, and deploy approved versions through a managed software distribution system.
- Enforce SmartScreen and Mark-of-the-Web checks so downloaded archives are inspected before extraction.
# Example AppLocker rule fragment blocking DLL loads from user Downloads
# Save as policy XML and import via Set-AppLockerPolicy
<RuleCollection Type="Dll" EnforcementMode="Enabled">
<FilePathRule Id="a1b2c3d4-0001-0000-0000-000000000001"
Name="Block DLLs from Downloads"
Description="Prevents DLL planting next to installers"
UserOrGroupSid="S-1-1-0"
Action="Deny">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\Users\*\Downloads\*.dll" />
</Conditions>
</FilePathRule>
</RuleCollection>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.


