CVE-2026-40947
Published: 16 April 2026
Summary
CVE-2026-40947 is a low-severity Untrusted Search Path (CWE-426) vulnerability in Yubico (inferred from references). Its CVSS base score is 2.9 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23135
Vulnerability details
Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unintended DLL search path (CWE-426) directly enables DLL Search Order Hijacking and DLL Side-Loading by allowing malicious DLLs to be loaded from attacker-controlled locations.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.