CVE-2026-40947 Overview
CVE-2026-40947 is an unintended DLL search path vulnerability affecting multiple Yubico products including libfido2 before version 1.17.0, python-fido2 before version 2.2.0, and yubikey-manager before version 5.9.1. This vulnerability falls under CWE-426 (Untrusted Search Path), which can allow attackers to load malicious DLL files if they have local access to the system.
Critical Impact
Local attackers with the ability to place malicious DLL files in the search path could potentially achieve code execution or compromise the integrity of Yubico authentication operations.
Affected Products
- Yubico libfido2 versions before 1.17.0
- Yubico python-fido2 versions before 2.2.0
- Yubico yubikey-manager versions before 5.9.1
Discovery Timeline
- 2026-04-16 - CVE CVE-2026-40947 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-40947
Vulnerability Analysis
This vulnerability exists due to an unintended DLL search path in Yubico's FIDO2 and YubiKey management software stack. When the affected applications load dynamic link libraries, they may inadvertently search for DLLs in untrusted locations before checking secure system directories. This allows an attacker with local access to place a malicious DLL in a directory that precedes the legitimate DLL location in the search order.
The vulnerability requires local access and specific conditions to exploit, as the attacker must be able to write files to a directory in the DLL search path. The impact is limited to integrity compromise without affecting confidentiality or availability directly.
Root Cause
The root cause is an insecure DLL search path implementation (CWE-426) in the affected Yubico components. When loading required DLL dependencies, the applications do not sufficiently restrict or validate the directories from which DLLs can be loaded. This allows the Windows DLL search order to potentially resolve to attacker-controlled directories.
Attack Vector
The attack vector is local, requiring the attacker to have existing access to the target system. The attacker must:
- Identify a writable directory in the DLL search path used by the vulnerable Yubico applications
- Place a malicious DLL with the expected filename in that directory
- Wait for or trigger the victim to execute one of the affected Yubico applications
- The application loads the malicious DLL instead of the legitimate one
Due to the local access requirement and specific conditions needed, exploitation complexity is considered high. For detailed technical information, refer to the Yubico Security Advisory YSA-2026-01.
Detection Methods for CVE-2026-40947
Indicators of Compromise
- Unexpected DLL files appearing in application directories or user-writable paths that should not contain Yubico-related libraries
- Process execution of Yubico applications loading DLLs from non-standard locations
- Anomalous file write operations to directories in the DLL search path prior to Yubico application execution
Detection Strategies
- Monitor for DLL loading events from Yubico applications (libfido2, python-fido2, yubikey-manager) originating from unexpected directories
- Implement application whitelisting to prevent unauthorized DLL execution
- Use endpoint detection tools to identify DLL hijacking patterns associated with FIDO2/YubiKey software
Monitoring Recommendations
- Enable DLL load event logging on Windows systems where Yubico software is deployed
- Monitor file system activity in directories commonly used for DLL hijacking attacks
- Alert on creation of new DLL files in user-writable directories that are in the application search path
How to Mitigate CVE-2026-40947
Immediate Actions Required
- Upgrade libfido2 to version 1.17.0 or later
- Upgrade python-fido2 to version 2.2.0 or later
- Upgrade yubikey-manager to version 5.9.1 or later
- Audit systems for unexpected DLL files in application directories
Patch Information
Yubico has released patched versions of all affected components that address the DLL search path vulnerability. Organizations should update to the following minimum versions:
| Component | Fixed Version |
|---|---|
| libfido2 | 1.17.0 |
| python-fido2 | 2.2.0 |
| yubikey-manager | 5.9.1 |
For complete patch details and download links, consult the Yubico Security Advisory YSA-2026-01.
Workarounds
- Restrict write permissions on directories in the DLL search path to prevent unauthorized DLL placement
- Implement application control policies to only allow signed Yubico DLLs to load
- Use Windows Defender Application Control (WDAC) or similar solutions to enforce DLL signing requirements
- Run Yubico applications from directories with restricted write access
# Example: Restrict permissions on Yubico application directory (Windows PowerShell)
# Ensure only administrators can write to the installation directory
icacls "C:\Program Files\Yubico" /inheritance:r /grant "Administrators:(OI)(CI)F" /grant "SYSTEM:(OI)(CI)F" /grant "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
