Cyber Resilience

CVE-2026-40947

LowLPE

Published: 16 April 2026

Published
16 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0013 3.0th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-40947 is a low-severity Untrusted Search Path (CWE-426) vulnerability in Yubico (inferred from references). Its CVSS base score is 2.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
Why these techniques?

Unintended DLL search path (CWE-426) directly enables DLL Search Order Hijacking and DLL Side-Loading by allowing malicious DLLs to be loaded from attacker-controlled locations.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Yubico
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References