CVE-2019-3726

CVE-2019-3726 is a medium-severity vulnerability in Dell Update Package Framework with a CVSS 3.x base score of 6.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-427.

Key facts

Description

An Uncontrolled Search Path Vulnerability is applicable to the following: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers. Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.

Frequently asked questions

What is CVE-2019-3726?
An Uncontrolled Search Path Vulnerability is applicable to the following: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers. Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.
How severe is CVE-2019-3726?
CVE-2019-3726 has a CVSS 3.x base score of 6.7, rated medium severity. It is exploitable over local access with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-3726 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (37th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2019-3726?
CVE-2019-3726 affects Dell Update Package Framework. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2019-3726?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2019-3726 published?
CVE-2019-3726 was published on 2019-09-24 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Dell Update Package Framework

All CVEs affecting Dell Update Package Framework →

Other CWE-427 (Uncontrolled Search Path Element) vulnerabilities

Browse all CWE-427 (Uncontrolled Search Path Element) vulnerabilities →