Cyber Resilience

CVE-2026-40031

HighPublic PoC

Published: 08 April 2026

Published
08 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 3.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40031 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Ufrisk Memprocfs. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-40031, published on 2026-04-08, affects MemProcFS versions before 5.17 and involves multiple unsafe library-loading patterns that enable DLL and shared-library hijacking across six attack surfaces. These include bare-name LoadLibraryU and dlopen calls without path qualification for components such as vmmpyc, libMSCompression, and plugin DLLs. The vulnerability, classified under CWE-427 (Uncontrolled Search Path Element), has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high confidentiality, integrity, and availability impacts.

A local attacker can exploit this vulnerability by placing a malicious DLL or shared library in MemProcFS's working directory or by manipulating the LD_LIBRARY_PATH environment variable. When MemProcFS loads the affected libraries, this results in arbitrary code execution. No privileges are required (PR:N), but exploitation depends on low complexity (AC:L) and user interaction (UI:R), such as running the tool in a compromised context.

Mitigation is available in MemProcFS version 5.17, released at https://github.com/ufrisk/MemProcFS/releases/tag/v5.17, with the patching commit at https://github.com/ufrisk/MemProcFS/commit/df80e6e83641f5004025ce661e6dd8139028d7b5. Further details on the issue appear in advisories from VulnCheck at https://www.vulncheck.com/advisories/memprocfs-dll-shared-library-hijacking and Mobasi at https://mobasi.ai/sentinel.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MemProcFS before 5.17 contains multiple unsafe library-loading patterns that enable DLL and shared-library hijacking across six attack surfaces, including bare-name LoadLibraryU and dlopen calls without path qualification for vmmpyc, libMSCompression, and plugin DLLs. An attacker who places a malicious DLL…

more

or shared library in the working directory or manipulates LD_LIBRARY_PATH can achieve arbitrary code execution when MemProcFS loads.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
T1574.006 Dynamic Linker Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries.
Why these techniques?

Vulnerability description explicitly details unsafe bare-name LoadLibraryU/dlopen calls and uncontrolled search paths (CWE-427), enabling placement of malicious DLLs in working directory or LD_LIBRARY_PATH manipulation for arbitrary code execution via DLL side-loading and dynamic linker hijacking.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-9498Shared CWE-427
CVE-2024-57963Shared CWE-427
CVE-2024-9493Shared CWE-427
CVE-2026-23755Shared CWE-427
CVE-2025-24039Shared CWE-427
CVE-2025-21127Shared CWE-427
CVE-2026-2713Shared CWE-427
CVE-2024-57964Shared CWE-427
CVE-2024-53588Shared CWE-427
CVE-2023-53959Shared CWE-427

Affected Assets

ufrisk
memprocfs
≤ 5.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of flaws, directly mitigating this CVE by applying the MemProcFS 5.17 patch that fixes the unsafe library-loading patterns.

preventdetect

SI-7 employs integrity verification mechanisms like cryptographic hashes or signatures to detect unauthorized changes to libraries, preventing or identifying hijacked DLLs or shared libraries.

prevent

CM-6 enforces secure configuration settings such as safe DLL search modes or restricted library paths to mitigate uncontrolled search path exploitation via working directory or LD_LIBRARY_PATH.

References