MULTIPLE VULNERABILITY REPORT: Multiple DLL Hijacking Vulnerability in CygWin setup-x86_64.exe

Csaba Ráduly
Sun Feb 11 19:19:09 GMT 2024

On 06/02/2024 23:10, Kaz Kylheku via Cygwin wrote:
> On 2024-02-04 21:22, Suman Chakraborty via Cygwin wrote:
>> 1. Executive Summary:
>> The vulnerability pertains to not finding
>> the profapi.dll, CFGMGR32.dll, edputil.dll,  urlmon.dll, SspiCli.dll,
>> Wldp.dll, MPR.dll, ServicingCommon.dll, TextShaping.dll, CRYPTBASE.DLL,
>> PROPSYS.dll and insecure loading of dynamic link libraries (DLLs),
>> specifically profapi.dll. If exploited, this vulnerability could allow an
>> attacker to execute arbitrary code on a victim's machine, potentially
>> leading to data breaches, system compromise, and other malicious activities.
> By what means is setup.exe probing these DLLs?
> I don't see any references to profapi.dll in its source tree
> (git grep -i profapi turns up nothing).

According to Dependecy Walker, profapi.dll is a dependency of userenv.dll,

which in turn is a dependency of sechost.dll,

which in turn is a dependency of advapi32.dll

I don't think setup-x86_64.exe has any say in how these dependencies are 


Life is complex, with real and imaginary parts.

More information about the Cygwin mailing list