New to Telerik UI for WinForms? Download free 30-day trial

Local Code Execution Vulnerability


Product Alert – May 2024 - CVE-2024-3892

  • Telerik UI for WinForms v2021.1.122 to v2024.1.312


CWE-94: Improper Control of Generation of Code ('Code Injection')

In Telerik UI for WinForms versions v2021.1.122 to v2024.1.312, it is possible to manipulate the application configuration to register a specially crafted external assembly as a theme.

What are the Impacts

This can allow a preexisting local threat actor to execute local code at the same permission level as the application the next time the application is launched.


We have addressed the vulnerability and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.

Version  Guidance
Earlier than 2021.1.122 Not Affected
2021.1.122 to 2024.1.312 Update to v2024.2.514 Update Instructions
2024.2.514 or later Not Affected

To confirm your current version of UI for WinForms, check the version of Telerik.WinControls.dll the project is referencing. All customers who have a UI for WinForms license can access the downloads here Product Download | Your Account.


  • The threat actor must already have access to the local system, this is not a remote code execution vulnerability.
  • The arbitrary code in the custom precompiled assembly can only be executed at the same privilege as the application.
  • Modification of a running application’s configuration is not successful; this attack must be implemented pre-launch.

If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.

External References

CVE-2024-3892 (HIGH)

CVSS: 7.2

A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system.

In this article