• Security Advisory YSA-2026-01

    Security Advisory YSA-2026-01 – DLL Search Path Issue

    Published Date: 2026-04-15

    Tracking IDs: YSA-2026-01

    CVE: Pending

    CVSS: 7.0

    Summary

    Security updates which resolve a DLL search path vulnerability on Windows are available for three Yubico open source software projects: libfido2, YubiKey Manager, and python-fido2. 

    If an attacker is able to place a malicious file in the directory where the affected software or Python is installed, they could achieve code execution. In cases where the affected software has been installed in directories protected by Administrator permissions the attacker would require an account with this level of access in order to perform this attack.

    Affected Devices

    • libfido2 versions prior to 1.17.0
    • python-fido2 versions prior to 2.2.0
    • yubikey-manager versions prior to 5.9.1

    Not Affected Devices

    No Yubico hardware is affected. This does not affect any previous or current generation YubiKey Series, YubiKey FIPS Series, Security Key Series, YubiHSM, or YubiHSM FIPS devices.

    How to Tell if You Are Affected

    Users with the affected software versions of libfido2, python-fido2, and YubiKey Manager listed above installed on Windows. 

    To see which version of libfido2 is installed use the following command:
    fido2-token -V


    To see which version of python-fido2 is installed use the following command:
    pip show fido2

    If the target environment has multiple Python installations, use the appropriate Python interpreter to invoke pip. For example:
    python3.11 -m pip show fido2


    To see which version of YubiKey Manager is installed use the following command:
    ykman -v

    Customer Actions

    Yubico recommends that affected customers update to the latest versions of these libraries to resolve this issue. For integrators who are incorporating these libraries in applications, Yubico recommends following Microsoft guidance for installation location to further defend against these attacks.

    Issue Details

    The libfido2 project was loading DLLs using LoadLibrary(TEXT("DLL_NAME")), which does not restrict the DLL search path to System32. These projects have been updated to use LoadLibraryExW(L"DLL_NAME", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32)which appropriately restricts the search path when loading DLLs.
    Similarly, the python-fido2 and YubiKey Manager projects were loading DLLs without properly constraining the search path and have now been updated to use WinDLL("DLL_NAME", winmode=LOAD_LIBRARY_SEARCH_SYSTEM32).

    Severity

    Yubico has rated this issue as high. It has a CVSS score of 7.0

    Timeline

    March 21, 2026Donjon Cerberus informs Yubico of the issue in libfido2
    March 27, 2026Yubico confirms additional impacted projects: python-fido2 and YubiKey Manager
    April 15, 2026Yubico releases advisory YSA-2026-01