CWE-427
Uncontrolled Search Path Element
BaseDraft
Description
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-38 · CAPEC-471
CVEs mapped to this weakness (303)
page 14 of 16| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-21843 | Med | 0.44 | 6.7 | 0.00 | May 16, 2024 | Uncontrolled search path for some Intel(R) Computing Improvement Program software before version 2.4.0.10654 may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2024-21841 | Med | 0.44 | 6.7 | 0.00 | May 16, 2024 | Uncontrolled search path for some Intel(R) Distribution for GDB software before version 2024.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2024-21818 | Med | 0.44 | 6.7 | 0.00 | May 16, 2024 | Uncontrolled search path in some Intel(R) PCM software before version 202311 may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2024-21774 | Med | 0.44 | 6.7 | 0.00 | May 16, 2024 | Uncontrolled search path in some Intel(R) Processor Identification Utility software before versions 6.10.34.1129, 7.1.6 may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2023-43751 | Med | 0.44 | 6.7 | 0.00 | May 16, 2024 | Uncontrolled search path in Intel(R) Graphics Command Center Service bundled in some Intel(R) Graphics Windows DCH driver software before versions 31.0.101.3790/31.0.101.2114 may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2023-40155 | Med | 0.44 | 6.7 | 0.00 | May 16, 2024 | Uncontrolled search path for some Intel(R) CST software before version 2.1.10300 may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2023-39929 | Med | 0.44 | 6.7 | 0.00 | May 16, 2024 | Uncontrolled search path in some Libva software maintained by Intel(R) before version 2.20.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | |
| CVE-2017-12313 | Med | 0.44 | 6.7 | 0.00 | Nov 16, 2017 | An untrusted search path (aka DLL Preload) vulnerability in the Cisco Network Academy Packet Tracer software could allow an authenticated, local attacker to execute arbitrary code via DLL hijacking if a local user with administrative privileges executes the installer in the current working directory where a crafted DLL has been placed by an attacker. The vulnerability is due to incomplete input validation of path and file names of a DLL file before it is loaded. An attacker could exploit this vulnerability by creating a malicious DLL file and installing it in a specific system directory. A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account. An attacker would need valid user credentials to exploit this vulnerability. | |
| CVE-2017-6417 | Med | 0.44 | 6.7 | 0.00 | Mar 21, 2017 | Code injection vulnerability in Avira Total Security Suite 15.0 (and earlier), Optimization Suite 15.0 (and earlier), Internet Security Suite 15.0 (and earlier), and Free Security Suite 15.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Avira process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack. | |
| CVE-2017-5567 | Med | 0.44 | 6.7 | 0.00 | Mar 21, 2017 | Code injection vulnerability in Avast Premier 12.3 (and earlier), Internet Security 12.3 (and earlier), Pro Antivirus 12.3 (and earlier), and Free Antivirus 12.3 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Avast process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack. | |
| CVE-2017-5566 | Med | 0.44 | 6.7 | 0.00 | Mar 21, 2017 | Code injection vulnerability in AVG Ultimate 17.1 (and earlier), AVG Internet Security 17.1 (and earlier), and AVG AntiVirus FREE 17.1 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any AVG process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack. | |
| CVE-2017-5565 | Med | 0.44 | 6.7 | 0.00 | Mar 21, 2017 | Code injection vulnerability in Trend Micro Maximum Security 11.0 (and earlier), Internet Security 11.0 (and earlier), and Antivirus+ Security 11.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Trend Micro process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack. | |
| CVE-2025-11772 | Med | 0.43 | 6.6 | 0.00 | Dec 1, 2025 | A carefully crafted DLL, copied to C:\ProgramData\Synaptics folder, allows a local user to execute arbitrary code with elevated privileges during driver installation. | |
| CVE-2025-3051 | Med | 0.42 | 6.5 | 0.00 | Apr 1, 2025 | Linux::Statm::Tiny for Perl before 0.0701 allows untrusted code from the current working directory ('.') to be loaded similar to CVE-2016-1238. If an attacker can place a malicious file in current working directory, it may be loaded instead of the intended file, potentially leading to arbitrary code execution. Linux::Statm::Tiny uses Mite to produce the affected code section due to CVE-2025-30672 | |
| CVE-2025-30673 | Med | 0.42 | 6.5 | 0.00 | Apr 1, 2025 | Sub::HandlesVia for Perl before 0.050002 allows untrusted code from the current working directory ('.') to be loaded similar to CVE-2016-1238. If an attacker can place a malicious file in current working directory, it may be loaded instead of the intended file, potentially leading to arbitrary code execution. Sub::HandlesVia uses Mite to produce the affected code section due to CVE-2025-30672 | |
| CVE-2025-30672 | Med | 0.42 | 6.5 | 0.00 | Apr 1, 2025 | Mite for Perl before 0.013000 generates code with the current working directory ('.') added to the @INC path similar to CVE-2016-1238. If an attacker can place a malicious file in current working directory, it may be loaded instead of the intended file, potentially leading to arbitrary code execution. This affects the Mite distribution itself, and other distributions that contain code generated by Mite. | |
| CVE-2024-34016 | Med | 0.42 | 6.5 | 0.00 | Sep 16, 2024 | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 38235. | |
| CVE-2024-50583 | Med | 0.41 | 6.3 | 0.00 | Oct 25, 2024 | Whale browser Installer before 3.1.0.0 allows an attacker to execute a malicious DLL in the user environment due to improper permission settings. | |
| CVE-2025-49144 | Hig | 0.40 | 7.3 | 0.00 | Jun 23, 2025 | Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2. | |
| CVE-2025-49148 | Hig | 0.40 | 7.3 | 0.00 | Jun 11, 2025 | ClipShare is a lightweight and cross-platform tool for clipboard sharing. Prior to 3.8.5, ClipShare Server for Windows uses the default Windows DLL search order and loads system libraries like CRYPTBASE.dll and WindowsCodecs.dll from its own directory before the system path. A local, non-privileged user who can write to the folder containing clip_share.exe can place malicious DLLs there, leading to arbitrary code execution in the context of the server, and, if launched by an Administrator (or another elevated user), it results in a reliable local privilege escalation. This vulnerability is fixed in 3.8.5. |