A serious flaw in Splunk Enterprise for Windows that lets low-privileged users hijack DLL loading and escalate to SYSTEM-level access.
Tracked as CVE-2026-20140, this local privilege escalation (LPE) vulnerability stems from DLL search-order hijacking and carries a CVSSv3.1 score of 7.7 (High). Splunk disclosed it on February 18, 2026, via advisory SVD-2026-0205.
The issue affects Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.8, 9.3.9, and 9.2.12. A low-privileged Windows user can exploit it by creating a directory on the system drive where Splunk is installed and dropping a malicious DLL there.
When the Splunk service restarts, it loads the rogue DLL instead of the legitimate one because Windows follows a predictable DLL search path.
This grants the injected code SYSTEM privileges, allowing it to perform data theft, malware persistence, or lateral movement in enterprise networks.
DLL search-order hijacking exploits how Windows prioritizes loading libraries from the current directory before safe paths.
In Splunk’s case, the service startup process follows this flawed order, a classic CWE-427 (Untrusted Search Path) weakness.
Attackers need local access, high attack complexity, and user interaction (like convincing a user to restart the service), but no privileges upfront.
The CVSS vectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A: H highlights its scope: low attack vector but high impact on confidentiality, integrity, and availability with elevated privileges.
| Product | Base Version | Affected Versions | Fix Version |
|---|---|---|---|
| Splunk Enterprise | 10.2 | Not affected | 10.2.0 |
| Splunk Enterprise | 10.0 | 10.0.0 to 10.0.2 | 10.0.3 |
| Splunk Enterprise | 9.4 | 9.4.0 to 9.4.7 | 9.4.8 |
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.8 | 9.3.9 |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.11 | 9.2.12 |
Splunk urges upgrades to patched versions: 10.2.0, 10.0.3, 9.4.8, 9.3.9, 9.2.12, or later. Non-Windows deployments face no risk, dropping severity to Informational.
No workarounds exist beyond restricting directory creation on the system drive or monitoring Splunk service startups for anomalies. Admins should review logs for unexpected DLL loads via tools.
Must patch fast to avoid real-world abuse by threat actors eyeing LPE chains. No active exploits appear in the wild yet, but its high score demands urgency.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
