A few months ago I disclosed IBM(R) Db2(R) Windows client DLL  
Hijacking Vulnerability(0day) I found:  
In that post I mentioned the vulnerability did not get fully patched.  
After I told IBM on hackerone that I disclosed it, hackerone asked me  
to delete the post, IBM apologized and fully patched the  
But this is not the point today. I found a similar problem in  
After install the software create C:\DummyTLS and rename a dll you  
want to load to dummyTLS.dll and put it to C:\DummyTLS\dummyTLS.dll.  
Run "C:\Program Files (x86)\VMware\VMware ThinApp\Setup Capture.exe"  
and C:\DummyTLS\dummyTLS.dll will be loaded.  
(other exe like log_monitor.exe/snapshot.exe vulnerable too).  
This is also because they use code like:  
LoadLibraryExW(L"\\DummyTLS\\dummyTLS.dll", 0, 0);  
In short, Windows will treat relative path in LoadLibrary(and many  
other functions) as the path rooted relative to the current disk  
Let us look into code in ntdll.dll. The logic here is:  
In LdrpPreprocessDllName after calling  
RtlDetermineDosPathNameType_Ustr it will return 4(RtlPathTypeRooted).  
And after calling LdrpGetFullPath we get "C:\DummyTLS\dummyTLS.dll"!  
You should not call LoadLibrary with the relative path. In fact, using  
relative path is dangerous in many cases.  
This was fixed in 2021-07-13 as CVE-2021-22000 and the advisory is  
here :  
For these vulnerabilities I will post a summary at