Platform
linux
Component
libfido2
Fixed in
1.17.0
CVE-2026-40947 describes a DLL hijacking vulnerability discovered in Yubico's libfido2 library, impacting versions from 0.0.0 through 5.9.1. This flaw allows a malicious actor to potentially execute arbitrary code by strategically placing a malicious DLL within the library's search path. The vulnerability also affects dependent projects like python-fido2 and yubikey-manager before their respective fixed versions. A patch has been released in libfido2 5.9.1, python-fido2 2.2.0, and yubikey-manager 5.9.1.
The core of this vulnerability lies in the way libfido2 resolves DLL dependencies. If a malicious actor can control the directory where libfido2 searches for DLLs, they can substitute a malicious DLL for a legitimate one. When libfido2 attempts to load a specific function, it will unknowingly load and execute the attacker's code instead. This could lead to privilege escalation, data theft, or even complete system compromise, depending on the attacker's goals and the permissions of the process running libfido2. The impact is magnified if libfido2 is integrated into critical security infrastructure or used in environments with limited access controls. Successful exploitation could allow an attacker to bypass authentication mechanisms or gain unauthorized access to sensitive data.
CVE-2026-40947 has been publicly disclosed on 2026-04-15. The CVSS score is LOW (2.9), indicating a relatively low probability of exploitation in most environments. Currently, there are no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of writing. However, DLL hijacking vulnerabilities are often exploited in targeted attacks, so vigilance is advised.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40947 is to upgrade to the patched versions: libfido2 5.9.1, python-fido2 2.2.0, and yubikey-manager 5.9.1. If immediate upgrading is not possible, consider implementing stricter directory permissions on the libfido2 installation directory to prevent unauthorized file placement. Employing application whitelisting can also restrict the execution of untrusted DLLs. Monitor system logs for unusual DLL loading activity, particularly in the libfido2 installation directory. After upgrading, verify the fix by attempting to load a DLL from a controlled, non-standard location; the library should refuse to load it.
Update the libfido2 library to version 1.17.0 or higher to mitigate the DLL search path vulnerability. Check the specific update instructions provided by Yubico in their security advisory (https://www.yubico.com/support/security-advisories/ysa-2026-01/). Ensure you also update related dependencies, such as python-fido2 and yubikey-manager to their patched versions (2.2.0 and 5.9.1 respectively).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40947 is a DLL hijacking vulnerability affecting libfido2 versions 0.0.0–5.9.1, allowing attackers to potentially execute arbitrary code by manipulating the DLL search path.
You are affected if you are using libfido2, python-fido2, or yubikey-manager versions prior to 5.9.1, 2.2.0, and 5.9.1 respectively.
Upgrade to libfido2 5.9.1, python-fido2 2.2.0, or yubikey-manager 5.9.1. Implement stricter directory permissions and consider application whitelisting as interim measures.
Currently, there are no publicly known active exploits for CVE-2026-40947, but DLL hijacking vulnerabilities are often targeted in attacks.
Refer to the Yubico security advisory for detailed information and updates regarding CVE-2026-40947.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.