Skip to main content

Dell Purchased Apps CVE-2026-44275

| EUVDEUVD-2026-35788 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-06-09 dell GHSA-g9cv-3h6q-p67m
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 19:58 vuln.today
Patch available
Jun 09, 2026 - 19:03 EUVD

DescriptionCVE.org

Dell/Alienware Purchased Apps, versions prior to 1.1.32.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write

AnalysisAI

Arbitrary file write in Dell/Alienware Purchased Apps versions prior to 1.1.32.0 is achievable by a low-privileged local attacker through a link-following (CWE-59) flaw, enabling overwrite of files at elevated privilege levels and resulting in high integrity and availability impact. The CVSS vector (AV:L/AC:H/PR:L) confirms local access with high attack complexity is required, suggesting exploitation likely involves a race condition or carefully staged symlink placement. No active exploitation is confirmed (not in CISA KEV), and a vendor-released patch is available at version 1.1.32.0.

Technical ContextAI

CWE-59 (Improper Link Resolution Before File Access, 'Link Following') describes a class of vulnerabilities where an application resolves a symbolic or hard link to a file path without adequate validation, allowing an attacker to redirect file operations to unintended targets. In this case, Dell/Alienware Purchased Apps - identified via CPE cpe:2.3:a:dell:dell/alienware_purchased_apps:*:*:*:*:*:*:*:* - performs file creation or modification operations using a path that a low-privileged user can influence by pre-placing a symlink. The CVSS confidentiality impact of C:N indicates no sensitive data is read during exploitation, but the high integrity (I:H) and availability (A:H) scores confirm that attacker-controlled content can be written to arbitrary locations, potentially corrupting system files or escalating privileges. The high attack complexity (AC:H) is characteristic of race-condition-dependent symlink attacks, where timing between symlink placement and file access is critical. It is also worth noting a discrepancy in the provided metadata: the tags include 'Information Disclosure', yet the CVSS vector explicitly records C:N (no confidentiality impact) and the description describes Arbitrary File Write - this inconsistency should be verified against the full vendor advisory DSA-2026-250.

RemediationAI

The primary remediation is to update Dell/Alienware Purchased Apps to version 1.1.32.0 or later, which addresses the link-following vulnerability. The patch is available through the Dell support portal and the vendor advisory DSA-2026-250 at https://www.dell.com/support/kbdoc/en-us/000472463/dsa-2026-250. For environments where immediate patching is not feasible, compensating controls should focus on limiting local account access: restrict interactive logon rights to only necessary users on affected systems, audit and enforce least-privilege principles for user accounts, and monitor file system activity in directories used by the Purchased Apps application for unexpected symbolic link creation (e.g., via Windows audit policies for object access or EDR file system telemetry). Note that these compensating controls raise the effective attack complexity but do not eliminate the vulnerability - patching remains the only confirmed fix. Exact patch version 1.1.32.0 is confirmed by the vendor advisory and EUVD data.

Share

CVE-2026-44275 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy