Published:2026/07/15  Last Updated:2026/07/15

JVN#59875262
Installer of HYPER SBI 2 insecurely loads Dynamic Link Libraries

Overview

Installer of HYPER SBI 2 provided by SBI SECURITIES Co.,Ltd. insecurely loads Dynamic Link Libraries.

Products Affected

  • HYPER SBI 2 versions before ver.3.20.0

Description

The installer of HYPER SBI 2 provided by SBI SECURITIES Co., Ltd. insecurely loads Dynamic Link Libraries.

  • Uncontrolled search path element (CWE-427)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2026-42936

Impact

If there is a crafted DLL at the same directory when invoking the affected installer, arbitrary code may be executed with the privilege of the user invoking the installer.

Solution

Use the latest installer
Use the latest installer provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
SBI SECURITIES Co.,Ltd. Vulnerable 2026/07/15

References

  1. Japan Vulnerability Notes JVNTA#91240916
    Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2026-42936
JVN iPedia JVNDB-2026-000098