Cyber Resilience

CVE-2026-40029

HighPublic PoC

Published: 08 April 2026

Published
08 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0080 52.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40029 is a high-severity OS Command Injection (CWE-78) vulnerability in Khyrenz Parseusbs. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 48.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40029 is an OS command injection vulnerability (CWE-78) in parseusbs versions before 1.9. The issue resides in the parseUSBs.py script, where LNK file paths from USB artifacts are passed unsanitized directly into an os.popen() shell command. This allows attackers to embed shell metacharacters in crafted .lnk filenames, leading to arbitrary command execution on the system running the tool.

The vulnerability targets forensic examiners processing USB devices with the affected parseusbs tool. An attacker with access to craft a malicious .lnk file on a USB artifact can exploit it when the examiner runs parseusbs, requiring local access and user interaction but no privileges (PR:N). Successful exploitation achieves high confidentiality, integrity, and availability impacts through arbitrary command execution on the examiner's machine, as reflected in the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Patches addressing the vulnerability are available in the parseusbs repository via GitHub commit 99f05996494e7e41ea0c7e13145ba20eb793e46b and pull request #10, which sanitize LNK file paths before shell invocation. Further mitigation guidance and analysis appear in advisories from VulnCheck (vulncheck.com/advisories/parseusbs-command-injection-via-crafted-lnk-filename) and Mobasi.ai Sentinel (mobasi.ai/sentinel).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk…

more

filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

OS command injection via unsanitized LNK paths into os.popen enables arbitrary shell command execution (T1059); requires user to run the tool on a crafted malicious file (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40030Same product: Khyrenz Parseusbs
CVE-2026-34982Shared CWE-78
CVE-2026-40517Shared CWE-78
CVE-2026-4946Shared CWE-78
CVE-2025-52626Shared CWE-78
CVE-2026-21267Shared CWE-78
CVE-2026-28470Shared CWE-78
CVE-2025-69269Shared CWE-78
CVE-2025-24971Shared CWE-78
CVE-2026-22553Shared CWE-78

Affected Assets

khyrenz
parseusbs
≤ 1.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validating LNK file paths to sanitize inputs and prevent shell metacharacters from being injected into os.popen() commands.

prevent

Mandates timely remediation of the known command injection flaw in parseusbs via the available patch sanitizing LNK paths.

prevent

Ensures integrity verification of parseusbs software and configuration to confirm the patched version is deployed without tampering.

References