The Common Vulnerabilities and Exposures (CVE) project, which aims to provide a comprehensive list of publicly disclosed cybersecurity vulnerabilities, has recently published a new entry: CVE-2022-26086. This vulnerability is associated with the Intel(R) PresentMon software, which is used for real-time performance monitoring of various applications, including games. It has been found that versions of the software prior to 1.7.1 are affected by an uncontrolled search path element issue, which may enable an attacker with local access to potentially escalate their privileges on the targeted system.

Original References

- CVE Entry
- Intel Security Advisory
- PresentMon GitHub Repository

Exploit Details

This vulnerability is a result of the software failing to properly control the search path elements used to resolve external dependencies. An attacker who manages to place a malicious file named "evil.dll" in a specific directory in the search path could take advantage of this weakness to execute their own code with elevated privileges when the PresentMon software is launched by an authenticated user.

Here is a code snippet that demonstrates a malicious DLL that could be placed in the search path to exploit the vulnerability:

// evil_dll.cpp
#include <Windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
    if (ul_reason_for_call == DLL_PROCESS_ATTACH)
        MessageBox(NULL, "Evil DLL has been loaded!", "Evil DLL", MB_OK);
    return TRUE;

An attacker could potentially compile this code and then place the resulting "evil.dll" file in a directory in the PresentMon software's search path, such as the application's working directory or a PATH environment variable. They would then wait for a legitimate user to launch the affected PresentMon software. Once the software is started, the attacker's malicious code will be executed instead of the expected external dependency, potentially giving the attacker increased privileges on the targeted system.


Intel has addressed this vulnerability by updating the PresentMon software to properly handle search path elements. The fix is included in PresentMon version 1.7.1, which can be obtained from the official GitHub repository:

Users who are running a prior version of PresentMon should immediately update their software to the latest version (1.7.1 or newer) to mitigate the risk associated with this vulnerability. Following proper security practices, users should also be cautious when downloading external dependencies and ensure that they are obtained from trusted sources.


The CVE-2022-26086 vulnerability in Intel's PresentMon software highlights the potential risks associated with uncontrolled search path elements. By exploiting this vulnerability, an attacker with local access can potentially escalate privileges on the targeted system. In order to protect against such attacks, it is essential that users update their software to the latest version available and follow best security practices when dealing with external dependencies.


Published on: 11/11/2022 16:15:00 UTC
Last modified on: 11/17/2022 22:24:00 UTC