CVE-2026-40029
Published: 08 April 2026
Summary
CVE-2026-40029 is a high-severity OS Command Injection (CWE-78) vulnerability in Khyrenz Parseusbs. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validating LNK file paths to sanitize inputs and prevent shell metacharacters from being injected into os.popen() commands.
Mandates timely remediation of the known command injection flaw in parseusbs via the available patch sanitizing LNK paths.
Ensures integrity verification of parseusbs software and configuration to confirm the patched version is deployed without tampering.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via unsanitized LNK paths into os.popen enables arbitrary shell command execution (T1059); requires user to run the tool on a crafted malicious file (T1204.002).
NVD Description
parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk…
more
filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing.
Deeper analysisAI
CVE-2026-40029 is an OS command injection vulnerability (CWE-78) in parseusbs versions before 1.9. The issue resides in the parseUSBs.py script, where LNK file paths from USB artifacts are passed unsanitized directly into an os.popen() shell command. This allows attackers to embed shell metacharacters in crafted .lnk filenames, leading to arbitrary command execution on the system running the tool.
The vulnerability targets forensic examiners processing USB devices with the affected parseusbs tool. An attacker with access to craft a malicious .lnk file on a USB artifact can exploit it when the examiner runs parseusbs, requiring local access and user interaction but no privileges (PR:N). Successful exploitation achieves high confidentiality, integrity, and availability impacts through arbitrary command execution on the examiner's machine, as reflected in the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Patches addressing the vulnerability are available in the parseusbs repository via GitHub commit 99f05996494e7e41ea0c7e13145ba20eb793e46b and pull request #10, which sanitize LNK file paths before shell invocation. Further mitigation guidance and analysis appear in advisories from VulnCheck (vulncheck.com/advisories/parseusbs-command-injection-via-crafted-lnk-filename) and Mobasi.ai Sentinel (mobasi.ai/sentinel).
Details
- CWE(s)