CVE-2021-26807
📋 TL;DR
CVE-2021-26807 is a DLL hijacking vulnerability in GOG Galaxy Client version 2.0.28.9 that loads unsigned DLLs from the PATH environment variable. This allows local attackers to execute arbitrary code by placing malicious DLLs in directories searched before the legitimate ones. Users of the affected GOG Galaxy Client version are vulnerable.
💻 Affected Systems
- GOG Galaxy Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with the privileges of the user running Galaxy Client, potentially leading to malware installation, data theft, or lateral movement.
Likely Case
Local privilege escalation or malware execution if an attacker can place malicious DLLs in writable directories within the PATH search order.
If Mitigated
Limited impact if proper application whitelisting, DLL signing verification, or restricted user permissions are enforced.
🎯 Exploit Status
Exploitation requires local access to plant malicious DLLs in directories searched before legitimate ones. Public proof-of-concept demonstrates the attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.35 or later
Vendor Advisory: https://www.gog.com
Restart Required: Yes
Instructions:
1. Open GOG Galaxy Client. 2. Go to Settings > General. 3. Check for updates and install version 2.0.35 or newer. 4. Restart the client.
🔧 Temporary Workarounds
Restrict PATH directory permissions
windowsPrevent unauthorized users from writing to directories in the PATH environment variable that are searched before the legitimate DLL locations.
Use Windows permissions to restrict write access to vulnerable PATH directories for standard users.
Use application whitelisting
windowsConfigure Windows Defender Application Control or similar solutions to block execution of unsigned DLLs from untrusted locations.
🧯 If You Can't Patch
- Remove write permissions for standard users to directories in PATH that are searched before legitimate DLL locations.
- Monitor for suspicious DLL loading events using Windows Event Logs or EDR solutions.
🔍 How to Verify
Check if Vulnerable:
Check if GOG Galaxy Client version is 2.0.28.9 or earlier by opening the client and navigating to Settings > General to view version.Check Version:
Not applicable via command line; check through Galaxy Client GUI at Settings > General.Verify Fix Applied:
Confirm the client version is 2.0.35 or newer in Settings > General. Test by attempting to load a test DLL from PATH (requires controlled testing environment).📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs (Security/System) showing DLL loading from unexpected paths
- EDR alerts for unsigned DLL loading by GalaxyClient.exe
Network Indicators:
- None - this is a local file system attack
SIEM Query:
EventID=7 (Image loaded) from source GalaxyClient.exe where ImageLoaded contains 'zlib1.dll', 'libgcc_s_dw2-1.dll', or 'libwinpthread-1.dll' from non-standard paths