CVE-2024-9496

High

Published: 24 January 2025

Published

24 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0001 2.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

DLL hijacking vulnerabilities, caused by an uncontrolled search path in the USBXpress Dev Kit installer can lead to privilege escalation and arbitrary code execution when running the impacted installer.

Security Summary

CVE-2024-9496 is a DLL hijacking vulnerability (CWE-427: Uncontrolled Search Path Element) affecting the USBXpress Dev Kit installer. The issue arises from an uncontrolled search path during installation, which can enable privilege escalation and arbitrary code execution when the impacted installer is executed. It carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and was published on 2025-01-24.

A local attacker requires no privileges (PR:N) but needs low-complexity conditions (AC:L) and user interaction (UI:R), such as convincing a user to run the installer. Successful exploitation allows arbitrary code execution with a scope change (S:C), resulting in high impacts to confidentiality, integrity, and availability.

Mitigation details are available in the Silicon Labs community advisory at https://community.silabs.com/068Vm00000JUQwd.

Details

CWE(s): CWE-427

References

https://community.silabs.com/068Vm00000JUQwd
product-security@silabs.com