JVNVU#93474119
Multiple Brother software installers may insecurely load Dynamic Link Libraries
Overview
Multiple software installers provided by Brother Industries, Ltd. may insecurely load Dynamic Link Libraries.
Products Affected
The installers of the following software are affected:
- Software Update Notification Updater, 1.0.21.0 and prior versions
- Status Monitor Update Tool, 1.43.0.0 and prior versions
- Universal Printer Driver, version 1.00
- Universal Printer Driver for BR-Script (PostScript language emulation), 1.18.1 and prior versions
- Universal Printer Driver for PCL, 1.10.1 and prior versions
Description
Multiple software installers provided by Brother Industries, Ltd. may insecurely load some dynamic link libraries.
- Uncontrolled search path element (CWE-427)
- CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.5
- CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
- CVE-2016-2542, CVE-2021-41526
Impact
Arbitrary code may be executed with Administrator privilege.
Solution
Use the latest installers
Use the latest installers which have fixed this issue.
This issue concerns about the behavior of the installers, and already installed software are not affected.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Brother Industries, Ltd. | Vulnerable | 2026/01/23 | Brother Industries, Ltd. website |
References
-
Japan Vulnerability Notes JVNTA#91240916
Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Kazuma Matsumoto of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Brother Industries, Ltd. and coordinated.
After the coordination was completed, Brother Industries, Ltd. reported the case to JPCERT/CC to notify users of the solution through JVN.