BaseStable
CWE-426Untrusted Search Path
Category: other
Description
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Common consequences· 3
- Integrity / Confidentiality / Availability / Access Control — Gain Privileges or Assume Identity, Execute Unauthorized Code or CommandsThere is the potential for arbitrary code execution with privileges of the vulnerable program.
- Availability — DoS: Crash, Exit, or RestartThe program could be redirected to the wrong files, potentially triggering a crash or hang when the targeted file is too large or does not have the expected format.
- Confidentiality — Read Files or DirectoriesThe program could send the output of unauthorized files to the attacker.
Potential mitigations· 5
- [Architecture and Design, Implementation]Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
- [Implementation]When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.
- [Implementation]Remove or restrict all environment settings before invoking other programs. This includes the PATH environment variable, LD_LIBRARY_PATH, and other settings that identify the location of code libraries, and any application-specific search paths.
- [Implementation]Check your search path before use and remove any elements that are likely to be unsafe, such as the current working directory or a temporary files directory.
- [Implementation]Use other functions that require explicit paths. Making use of any of the other readily available functions that require explicit paths is a safe way to avoid this problem. For example, system() in C does not require a full path since the shell can take care of it, while execl() and execv() require a full path.
Related CAPEC attack patterns· 1
References
Exploits (incoming)1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| AttackPattern | Leveraging/Manipulating Configuration File Search Pathscapec-38 | 100% | live |
(incoming)16
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Vulnerability | CVE-2025-12819cve-2025-12819 | 0% | live |
| Vulnerability | CVE-2025-23266cve-2025-23266 | 0% | live |
| Vulnerability | CVE-2025-26155cve-2025-26155 | 0% | live |
| Vulnerability | CVE-2025-31480cve-2025-31480 | 0% | live |
| Vulnerability | CVE-2025-49124cve-2025-49124 | 0% | live |
| Vulnerability | CVE-2025-49457cve-2025-49457 | 0% | live |
| Vulnerability | CVE-2026-21280cve-2026-21280 | 0% | live |
| Vulnerability | CVE-2026-21333cve-2026-21333 | 0% | live |
| Vulnerability | CVE-2026-24070cve-2026-24070 | 0% | live |
| Vulnerability | CVE-2026-27290cve-2026-27290 | 0% | live |
| Vulnerability | CVE-2026-29089cve-2026-29089 | 0% | live |
| Vulnerability | CVE-2026-40287cve-2026-40287 | 0% | live |
| Vulnerability | CVE-2026-45721cve-2026-45721 | 0% | live |
| Vulnerability | CVE-2026-45772cve-2026-45772 | 0% | live |
| KEVEntry | Microsoft Visual Basic for Applications Insecure Library Loading Vulnerabilitykev-cve-2012-1854 | 0% | live |
| KEVEntry | Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerabilitykev-cve-2022-22047 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.