Skip to main content

Microsoft CVE-2026-22561

| EUVDEUVD-2026-17476 MEDIUM
Uncontrolled Search Path Element (CWE-427)
2026-03-31 hackerone GHSA-3c2p-6j48-gmm4
4.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.1.3363
EUVD ID Assigned
Mar 31, 2026 - 16:00 euvd
EUVD-2026-17476
Analysis Generated
Mar 31, 2026 - 16:00 vuln.today
CVE Published
Mar 31, 2026 - 15:30 nvd
MEDIUM 4.7

DescriptionCVE.org

Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer.

AnalysisAI

DLL search-order hijacking in Anthropic Claude for Windows installer (Claude Setup.exe) versions before 1.1.3363 enables local privilege escalation to system context. An attacker with low privileges and physical or local access can plant a malicious DLL (such as profapi.dll) in the installer directory; when an elevated user runs the installer, the uncontrolled search path causes the malicious DLL to be loaded and executed with system privileges, achieving arbitrary code execution. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

This vulnerability exploits a fundamental Windows DLL loading mechanism weakness. When an application is executed with elevated privileges (via UAC), Windows searches for dependencies first in the application's own directory before checking system directories. The Claude Setup.exe installer fails to use absolute paths or safe loading mechanisms (such as SetDllDirectory or manifests) when loading system DLLs like profapi.dll. An attacker can pre-stage a malicious DLL with the same name in the installer's directory; when UAC-elevated code executes, it loads the attacker's DLL instead of the legitimate system library. The affected product is Anthropic Claude Desktop for Windows (CPE: cpe:2.3:a:anthropic:claude_desktop_-_windows:*:*:*:*:*:*:*:*), specifically versions prior to 1.1.3363. This class of vulnerability (CWE category: improper control of search path elements) is well-documented in Windows security literature and remains a persistent privilege escalation vector.

RemediationAI

Users and administrators should upgrade to Claude Desktop for Windows version 1.1.3363 or later, which remediates the DLL search-order hijacking vulnerability. The fix eliminates uncontrolled loading of system DLLs from the installer directory. In the interim, users should avoid running the installer from untrusted or shared directories, and system administrators can restrict write permissions to installer directories to prevent malicious DLL placement. For detailed guidance, refer to Anthropic's official security advisory at https://trust.anthropic.com/resources?s=1cvig6ldp3zvuj1yffzr11&name=cve-2026-22561-dll-search-order-hijacking-in-claude-for-windows-installer.

Share

CVE-2026-22561 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy