CVE-2026-40031
Published: 08 April 2026
Summary
CVE-2026-40031 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Ufrisk Memprocfs. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-40031, published on 2026-04-08, affects MemProcFS versions before 5.17 and involves multiple unsafe library-loading patterns that enable DLL and shared-library hijacking across six attack surfaces. These include bare-name LoadLibraryU and dlopen calls without path qualification for components such as vmmpyc, libMSCompression, and plugin DLLs. The vulnerability, classified under CWE-427 (Uncontrolled Search Path Element), has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high confidentiality, integrity, and availability impacts.
A local attacker can exploit this vulnerability by placing a malicious DLL or shared library in MemProcFS's working directory or by manipulating the LD_LIBRARY_PATH environment variable. When MemProcFS loads the affected libraries, this results in arbitrary code execution. No privileges are required (PR:N), but exploitation depends on low complexity (AC:L) and user interaction (UI:R), such as running the tool in a compromised context.
Mitigation is available in MemProcFS version 5.17, released at https://github.com/ufrisk/MemProcFS/releases/tag/v5.17, with the patching commit at https://github.com/ufrisk/MemProcFS/commit/df80e6e83641f5004025ce661e6dd8139028d7b5. Further details on the issue appear in advisories from VulnCheck at https://www.vulncheck.com/advisories/memprocfs-dll-shared-library-hijacking and Mobasi at https://mobasi.ai/sentinel.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20773
Vulnerability details
MemProcFS before 5.17 contains multiple unsafe library-loading patterns that enable DLL and shared-library hijacking across six attack surfaces, including bare-name LoadLibraryU and dlopen calls without path qualification for vmmpyc, libMSCompression, and plugin DLLs. An attacker who places a malicious DLL…
more
or shared library in the working directory or manipulates LD_LIBRARY_PATH can achieve arbitrary code execution when MemProcFS loads.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability description explicitly details unsafe bare-name LoadLibraryU/dlopen calls and uncontrolled search paths (CWE-427), enabling placement of malicious DLLs in working directory or LD_LIBRARY_PATH manipulation for arbitrary code execution via DLL side-loading and dynamic linker hijacking.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely remediation of flaws, directly mitigating this CVE by applying the MemProcFS 5.17 patch that fixes the unsafe library-loading patterns.
SI-7 employs integrity verification mechanisms like cryptographic hashes or signatures to detect unauthorized changes to libraries, preventing or identifying hijacked DLLs or shared libraries.
CM-6 enforces secure configuration settings such as safe DLL search modes or restricted library paths to mitigate uncontrolled search path exploitation via working directory or LD_LIBRARY_PATH.