CVE-2026-2516
Uncontrolled Search Path Vulnerability in Unidocs ezPDF Reader
Publication date: 2026-02-15
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unidocs | ezpdf_drm_reader | 2.0 |
| unidocs | ezpdf_reader | 2.0 |
| unidocs | ezpdf_drm_reader | 3.0.0.4 |
| unidocs | ezpdf_reader | 3.0.0.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2516 is an uncontrolled search path vulnerability affecting Unidocs ezPDF DRM Reader and ezPDF Reader versions 2.0 and 3.0.0.4 on 32-bit systems. The issue lies in the way the software loads the SHFOLDER.dll library without specifying a fully qualified path, causing the application to search for this DLL first in the Current Working Directory (CWD).
A local attacker with low privileges can exploit this by placing a malicious SHFOLDER.dll in the same directory as the installer. When the installer is run with administrative privileges, it loads and executes the malicious DLL with high integrity, resulting in arbitrary code execution with administrative rights.
The attack requires local access and involves privilege escalation from a low-privileged user to a high-privileged context. The vulnerability is complex to exploit but a proof-of-concept exploit is publicly available.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution with administrative privileges on the affected system. An attacker can escalate their privileges from a low-privileged user to execute malicious code with high integrity.
The impact includes compromise of confidentiality, integrity, and availability of the system. This means sensitive data could be exposed or altered, system operations disrupted, and overall security undermined.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the DLL loading behavior of the vulnerable installers (ezPDF DRM Reader and ezPDF Reader 2.0/3.0.0.4) on a 32-bit system. Specifically, the issue involves the uncontrolled search path for the SHFOLDER.dll library, where the application loads DLLs from the Current Working Directory (CWD) without specifying a fully qualified path.'}, {'type': 'paragraph', 'content': "A practical detection method is to use Process Monitor (ProcMon) to trace DLL loading events when running the installer. Look for instances where SHFOLDER.dll is loaded from unexpected or user-controlled directories such as the installer's folder or the user's Downloads folder."}, {'type': 'paragraph', 'content': 'Suggested commands/tools for detection include:'}, {'type': 'list_item', 'content': 'Run Process Monitor (ProcMon) with filters set to monitor the installer process and DLL load events.'}, {'type': 'list_item', 'content': "Use PowerShell or command prompt to check for the presence of SHFOLDER.dll in the installer's directory or other user-writable directories before running the installer."}, {'type': 'list_item', 'content': "Example PowerShell command to check for SHFOLDER.dll in a directory: Get-ChildItem -Path 'C:\\Path\\To\\Installer' -Filter SHFOLDER.dll"}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include preventing the exploitation of the uncontrolled DLL search path by ensuring that no malicious SHFOLDER.dll exists in the same directory as the installer or other user-writable directories.'}, {'type': 'paragraph', 'content': "Since the vulnerability requires local access and the attacker to place a malicious DLL in the installer's directory, restricting write permissions to these directories for low-privileged users can reduce risk."}, {'type': 'paragraph', 'content': 'Other recommended actions are:'}, {'type': 'list_item', 'content': 'Do not run the vulnerable installers from untrusted or user-writable directories such as Downloads.'}, {'type': 'list_item', 'content': 'Run installers from trusted system directories or locations with restricted write access.'}, {'type': 'list_item', 'content': 'Consider replacing the affected software with alternative products, as no vendor patch or update is available.'}, {'type': 'list_item', 'content': 'Developers should implement mitigations such as calling SetDefaultDllDirectories to restrict DLL loading to system directories or use absolute paths when loading DLLs, but this requires vendor action.'}] [1, 2]