CVE-2026-3091
Published: 24 February 2026
Summary
CVE-2026-3091 is a medium-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Synology Presto Client. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2026-3091 is an uncontrolled search path element vulnerability (CWE-427) in Synology Presto Client versions before 2.1.3-0672. The issue arises during installation, where the software fails to properly validate DLL loading paths, allowing a malicious DLL placed in advance in the same directory as the installer to be executed instead of the legitimate one.
Local users with low privileges can exploit this vulnerability by placing a malicious DLL in the installer's directory prior to installation. Exploitation requires high attack complexity, local access, and user interaction, such as initiating the installer, per the CVSS v3.1 vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (base score 6.7). Successful attacks enable reading or writing arbitrary files, potentially leading to full system compromise through escalated privileges or persistence.
Synology's security advisory (Synology_SA_26_02), available at https://www.synology.com/en-global/security/advisory/Synology_SA_26_02, details mitigation steps and patches for this vulnerability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7405
Vulnerability details
An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files and conduct denial-of-service during installation by placing a malicious DLL in advance in the same directory as the installer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-427 uncontrolled search path directly enables DLL search order hijacking/side-loading (T1038/T1574.002) of a malicious DLL from the installer directory; successful exploitation by a low-privileged local user yields arbitrary code execution leading to privilege escalation (T1068) and potential persistence.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires all executable components (including DLLs) to be cryptographically signed, directly blocking the malicious unsigned DLL that the installer would otherwise load from the same directory.
Mandates integrity verification of software and libraries before execution, preventing the installer from running an attacker-placed DLL that fails the check.
Deploys malicious-code detection mechanisms that can identify and block the rogue DLL before or during the installation process.