CVE-2026-3775

Published Apr 1, 2026

Last updated 12 days ago

CVSS high 7.8
Zero-day

Overview

Description
The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low‑privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user‑writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.
Source
14984358-7092-470d-8f34-ade47a7658a2
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

14984358-7092-470d-8f34-ade47a7658a2
CWE-427

Social media

Hype score
Not currently trending

Related CVEs

  1. JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.CVE-2026-4698
  2. Qualcomm Multiple Chipsets Memory Corruption VulnerabilityCVE-2026-21385
  3. Broadcom VMware Aria Operations Command Injection VulnerabilityCVE-2026-22719
  4. Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass VulnerabilityCVE-2026-20127
  5. Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.CVE-2026-22769

References

Sources include official advisories and independent security research.