CWE-426
Allowed-with-ReviewUntrusted Search Path
Abstraction: Base · Status: Stable
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
892 vulnerabilities reference this CWE, most recent first.
GHSA-VM6G-JX28-WCFP
Vulnerability from github – Published: 2022-02-08 00:00 – Updated: 2023-07-03 21:30NVIDIA Omniverse Launcher contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can get user to browse malicious site, to acquire access tokens allowing them to access resources in other security domains, which may lead to code execution, escalation of privileges, and impact to confidentiality and integrity.
{
"affected": [],
"aliases": [
"CVE-2022-21817"
],
"database_specific": {
"cwe_ids": [
"CWE-426",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-02T13:15:00Z",
"severity": "CRITICAL"
},
"details": "NVIDIA Omniverse Launcher contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can get user to browse malicious site, to acquire access tokens allowing them to access resources in other security domains, which may lead to code execution, escalation of privileges, and impact to confidentiality and integrity.",
"id": "GHSA-vm6g-jx28-wcfp",
"modified": "2023-07-03T21:30:55Z",
"published": "2022-02-08T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21817"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5318"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VMG3-7V43-9G23
Vulnerability from github – Published: 2025-07-17 21:32 – Updated: 2025-10-23 20:16NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/NVIDIA/nvidia-container-toolkit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/NVIDIA/k8s-device-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/NVIDIA/gpu-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "25.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/NVIDIA/mig-parted"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-23266"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-30T17:11:03Z",
"nvd_published_at": "2025-07-17T20:15:28Z",
"severity": "CRITICAL"
},
"details": "NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service.",
"id": "GHSA-vmg3-7v43-9g23",
"modified": "2025-10-23T20:16:38Z",
"published": "2025-07-17T21:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23266"
},
{
"type": "WEB",
"url": "https://github.com/NVIDIA/gpu-operator"
},
{
"type": "WEB",
"url": "https://github.com/NVIDIA/k8s-device-plugin"
},
{
"type": "WEB",
"url": "https://github.com/NVIDIA/mig-parted"
},
{
"type": "WEB",
"url": "https://github.com/NVIDIA/nvidia-container-toolkit"
},
{
"type": "WEB",
"url": "https://kidbomb.github.io/posts/nvidia-container-escape-cve-2025-23266"
},
{
"type": "WEB",
"url": "https://kidbomb.github.io/posts/nvidia-container-escape-cve-2025-23266-part-2"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=44818412"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5659"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3992"
},
{
"type": "WEB",
"url": "https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "NVIDIA Container Toolkit for all platforms contains an Untrusted Search Path"
}
GHSA-VP99-238F-WV9J
Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06A DLL hijacking vulnerability in Trend Micro Security 2019 (Consumer) versions below 15.0.0.1163 and below could allow an attacker to manipulate a specific DLL and escalate privileges on vulnerable installations.
{
"affected": [],
"aliases": [
"CVE-2018-18333"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-05T22:29:00Z",
"severity": "HIGH"
},
"details": "A DLL hijacking vulnerability in Trend Micro Security 2019 (Consumer) versions below 15.0.0.1163 and below could allow an attacker to manipulate a specific DLL and escalate privileges on vulnerable installations.",
"id": "GHSA-vp99-238f-wv9j",
"modified": "2022-05-13T01:06:14Z",
"published": "2022-05-13T01:06:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18333"
},
{
"type": "WEB",
"url": "https://esupport.trendmicro.com/en-us/home/pages/technical-support/1121932.aspx"
},
{
"type": "WEB",
"url": "https://gaissecurity.com/yazi/discovery-of-dll-hijack-on-trend-micro-antivirusplus-cve-2018-18333"
},
{
"type": "WEB",
"url": "https://kaganisildak.com/2019/01/17/discovery-of-dll-hijack-on-trend-micro-antivirus-cve-2018-18333"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQG7-J269-7V36
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-04-04 02:43Unquoted service path in Control Center-I version 2.1.0.0 and earlier may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2019-14599"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-16T20:15:00Z",
"severity": "HIGH"
},
"details": "Unquoted service path in Control Center-I version 2.1.0.0 and earlier may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-vqg7-j269-7v36",
"modified": "2024-04-04T02:43:49Z",
"published": "2022-05-24T17:03:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14599"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00299.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VX94-RRVX-2GP4
Vulnerability from github – Published: 2022-05-17 02:40 – Updated: 2022-05-17 02:40Untrusted search path vulnerability in the installer of Tera Term 4.94 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2193"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-09T16:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in the installer of Tera Term 4.94 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-vx94-rrvx-2gp4",
"modified": "2022-05-17T02:40:12Z",
"published": "2022-05-17T02:40:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2193"
},
{
"type": "WEB",
"url": "https://ttssh2.osdn.jp/SA/JVN06770361.html.en"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN06770361/index.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98807"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W222-JQ9R-PRXF
Vulnerability from github – Published: 2022-05-17 02:27 – Updated: 2022-05-17 02:27Untrusted search path vulnerability in The installer of MLIT DenshiSeikabutsuSakuseiShienKensa system Ver3.02 and earlier, distributed till June 20, 2017, The self-extracting archive including the installer of MLIT DenshiSeikabutsuSakuseiShienKensa system Ver3.02 and earlier, distributed till June 20, 2017 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2231"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-07T13:29:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in The installer of MLIT DenshiSeikabutsuSakuseiShienKensa system Ver3.02 and earlier, distributed till June 20, 2017, The self-extracting archive including the installer of MLIT DenshiSeikabutsuSakuseiShienKensa system Ver3.02 and earlier, distributed till June 20, 2017 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-w222-jq9r-prxf",
"modified": "2022-05-17T02:27:36Z",
"published": "2022-05-17T02:27:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2231"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN06337557/index.html"
},
{
"type": "WEB",
"url": "http://www.mlit.go.jp/common/001189444.pdf"
},
{
"type": "WEB",
"url": "http://www.mlit.go.jp/gobuild/gobuild_cals_sysv3.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W26J-RR99-HQPH
Vulnerability from github – Published: 2022-05-14 03:11 – Updated: 2022-05-14 03:11In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on Windows is vulnerable to a DLL preloading attack, which could lead to a privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2018-6514"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T20:29:00Z",
"severity": "HIGH"
},
"details": "In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on Windows is vulnerable to a DLL preloading attack, which could lead to a privilege escalation.",
"id": "GHSA-w26j-rr99-hqph",
"modified": "2022-05-14T03:11:17Z",
"published": "2022-05-14T03:11:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6514"
},
{
"type": "WEB",
"url": "https://puppet.com/security/cve/CVE-2018-6514"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2GQ-JJ32-QQ6Q
Vulnerability from github – Published: 2022-05-14 01:01 – Updated: 2022-05-14 01:01Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandle DLL loading, which allows local users to gain privileges via a crafted application, aka "DLL Loading Elevation of Privilege Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2016-0014"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-01-13T05:59:00Z",
"severity": "HIGH"
},
"details": "Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandle DLL loading, which allows local users to gain privileges via a crafted application, aka \"DLL Loading Elevation of Privilege Vulnerability.\"",
"id": "GHSA-w2gq-jj32-qq6q",
"modified": "2022-05-14T01:01:33Z",
"published": "2022-05-14T01:01:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0014"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-007"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1034661"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2J4-CCQM-F2PQ
Vulnerability from github – Published: 2022-05-17 02:27 – Updated: 2022-05-17 02:27Untrusted search path vulnerability in Installer of Lhaz version 2.4.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
{
"affected": [],
"aliases": [
"CVE-2017-2246"
],
"database_specific": {
"cwe_ids": [
"CWE-426"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "HIGH"
},
"details": "Untrusted search path vulnerability in Installer of Lhaz version 2.4.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.",
"id": "GHSA-w2j4-ccqm-f2pq",
"modified": "2022-05-17T02:27:40Z",
"published": "2022-05-17T02:27:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2246"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN21369452/index.html"
},
{
"type": "WEB",
"url": "http://chitora.com/jvn21369452.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2VG-8H8Q-7FCG
Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:50Privilege escalation due to insecure directory permissions affecting ViveportDesktopService in HTC VIVEPORT before 1.0.0.36 allows local attackers to escalate privileges via DLL hijacking.
{
"affected": [],
"aliases": [
"CVE-2019-12177"
],
"database_specific": {
"cwe_ids": [
"CWE-426",
"CWE-427"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-03T20:29:00Z",
"severity": "HIGH"
},
"details": "Privilege escalation due to insecure directory permissions affecting ViveportDesktopService in HTC VIVEPORT before 1.0.0.36 allows local attackers to escalate privileges via DLL hijacking.",
"id": "GHSA-w2vg-8h8q-7fcg",
"modified": "2024-04-04T00:50:55Z",
"published": "2022-05-24T16:47:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12177"
},
{
"type": "WEB",
"url": "https://community.viveport.com"
},
{
"type": "WEB",
"url": "https://huskersec.com/privilege-escalation-via-htc-viveport-desktop-c93471ff87c8"
},
{
"type": "WEB",
"url": "https://posts.specterops.io/razer-synapse-3-elevation-of-privilege-6d2802bd0585"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
Mitigation
When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
Mitigation
Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
Mitigation
Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
Mitigation
Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.