YubiKey Manager: Security vulnerability allows execution of injected code

A vulnerability in YubiKey Manager, libfido2, and python-fido2 allows attackers to inject malicious code into the software. Yubico is providing updated software packages to close the gaps.

Yubico warns about this in a security advisory. Updated sources and installers for the open-source projects YubiKey Manager, libfido2, and python-fido2 have been available since Wednesday this week. They close all vulnerabilities that can occur on Windows due to a problem with the DLL search path. If attackers have the ability to place files in the installation directory of the affected software, they can thereby execute their code.

The vulnerable software uses the functions LoadLibrary(TEXT("DLL_NAME")), which does not restrict the search path to the System32 directory. By using LoadLibraryExW(L"DLL_NAME", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32) or WinDLL("DLL_NAME", winmode=LOAD_LIBRARY_SEARCH_SYSTEM32), the Yubico developers are correcting the security-relevant error. Yubico specifies that if the affected software is protected with administrator rights on the directories, attackers would also need these access rights (CVE-2026-40947, CVSS 7.0, risk “high”). Contrary to Yubico's assessment, MITRE classifies the gap as low risk (CVSS 2.9, risk “low”).

Updated software protects

Yubico recommends users update to the bug-fixed versions: libfido2 1.17.0, python-fido2 2.2.0, and yubikey-manager 5.9.1. Developers using the vulnerable libraries in their apps should follow the Microsoft guidance on protecting against DLL preloading attacks to protect their software from these types of attacks.

About two years ago, Yubico already closed a security vulnerability in YubiKey Manager that allowed attackers to escalate their privileges on the system. In September 2024, a cloning attack via a side channel in the firmware of Yubikey hardware became known. It has been given the name EUCLEAK.

(dmk)