CVE-2026-40851

Unknown · cfgparser

A local confusion attack vulnerability in the cfgparser component allows for potential code execution via a malicious file on a USB stick.

Executive summary

A local confusion vulnerability in the cfgparser component could allow an attacker with physical access to achieve arbitrary code execution.

Vulnerability

This is a local confusion attack targeting the cfgparser utility. An attacker can trigger the vulnerability by providing a specially crafted file via a USB storage device, resulting in arbitrary code execution.

Business impact

This vulnerability carries a CVSS score of 8.4, indicating a high risk of total system compromise. If an attacker gains physical access to the affected hardware, they can execute arbitrary code, potentially leading to unauthorized data access, persistence, or full system takeover.

Remediation

Immediate Action: Restrict physical access to USB ports on critical hardware and apply vendor-provided security patches when available.

Proactive Monitoring: Audit system logs for unexpected file processing errors or unauthorized execution attempts following USB device attachment.

Compensating Controls: Disable USB mass storage functionality via BIOS/UEFI or OS-level policies where such access is not strictly required for operations.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Due to the high CVSS score and the risk of code execution, this vulnerability should be treated with urgency. Implement hardware-level access restrictions immediately to mitigate the risk until a formal patch is deployed.