Local Privilege Escalation (LPE) in Splunk Enterprise for Windows through DLL Search‑Order Hijacking
Advisory ID: SVD-2026-0205
CVE ID: CVE-2026-20140
Published: 2026-02-18
Last Update: 2026-02-18
CVSSv3.1 Score: 7.7, High
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE‑427
Bug ID: VULN-44060
Description
In Splunk Enterprise for Windows versions below 10.2.0, 10.0.3, 9.4.8, 9.3.9, and 9.2.12, a low‑privileged Windows user who can create a directory on the system drive where Splunk Enterprise is installed and write a malicious DLL into that directory, might cause Splunk Enterprise for Windows to load that DLL during Splunk Enterprise service startup. This condition can result in a Local Privilege Escalation (LPE) through a DLL search‑order hijacking, as the injected DLL might run with system level privileges when the Splunk Enterprise instance restarts.
Solution
Upgrade Splunk Enterprise for Windows to versions 10.2.0, 10.0.3, 9.4.8, 9.3.9, 9.2.12, or higher.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.2 | Splunk Web | Not affected | 10.2.0 |
| Splunk Enterprise | 10.0 | Splunk Web | 10.0.0 to 10.0.2 | 10.0.3 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.7 | 9.4.8 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.8 | 9.3.9 |
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.11 | 9.2.12 |
Mitigations and Workarounds
See Install on Windows for more information on how to install Splunk Enterprise.
Detections
None
Severity
Splunk rates this vulnerability a 7.7, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H.
If the Splunk Enterprise instance does not run on Windows, there should be no impact and the severity would be Informational.
Acknowledgments
Marius Gabriel Mihai