CVE-2026-3091

Medium

Published: 24 February 2026

Published

24 February 2026

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.4th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3091 is a medium-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Synology Presto Client. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Search Order Hijacking (T1038); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to DLL Search Order Hijacking (T1038) and 2 other techniques.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1038 DLL Search Order Hijacking Persistence

Windows systems use a common method to look for required DLLs to load into a program.

attack.mitre.org →

T1574.002 DLL Side-Loading Stealth

Adversaries may execute their own malicious payloads by side-loading DLLs.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CWE-427 uncontrolled search path directly enables DLL search order hijacking/side-loading (T1038/T1574.002) of a malicious DLL from the installer directory; successful exploitation by a low-privileged local user yields arbitrary code execution leading to privilege escalation (T1068) and potential persistence.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files during installation by placing a malicious DLL in advance in the same directory as the installer.

Deeper analysisAI

CVE-2026-3091 is an uncontrolled search path element vulnerability (CWE-427) in Synology Presto Client versions before 2.1.3-0672. The issue arises during installation, where the software fails to properly validate DLL loading paths, allowing a malicious DLL placed in advance in the same directory as the installer to be executed instead of the legitimate one.

Local users with low privileges can exploit this vulnerability by placing a malicious DLL in the installer's directory prior to installation. Exploitation requires high attack complexity, local access, and user interaction, such as initiating the installer, per the CVSS v3.1 vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (base score 6.7). Successful attacks enable reading or writing arbitrary files, potentially leading to full system compromise through escalated privileges or persistence.

Synology's security advisory (Synology_SA_26_02), available at https://www.synology.com/en-global/security/advisory/Synology_SA_26_02, details mitigation steps and patches for this vulnerability.

Details

CWE(s): CWE-427

Affected Products

synology

presto client

≤ 2.1.3-0672

CVEs Like This One

CVE-2024-11131Same product class: NAS / storage appliance

CVE-2024-10444Same product class: NAS / storage appliance

CVE-2024-45538Same product class: NAS / storage appliance

CVE-2024-10441Same product class: NAS / storage appliance

CVE-2024-50630Same product class: NAS / storage appliance

CVE-2024-50631Same product class: NAS / storage appliance

CVE-2024-10442Same product class: NAS / storage appliance

CVE-2024-9492Shared CWE-427

CVE-2025-33229Shared CWE-427

CVE-2026-21420Shared CWE-427

References

https://www.synology.com/en-global/security/advisory/Synology_SA_26_02
Vendor Advisory · security@synology.com