CVE-2026-2516
Unknown Unknown - Not Provided
Uncontrolled Search Path Vulnerability in Unidocs ezPDF Reader

Publication date: 2026-02-15

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2.0/3.0.0.4. This affects an unknown part in the library SHFOLDER.dll. Such manipulation leads to uncontrolled search path. The attack needs to be performed locally. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading the affected component is recommended. The vendor explains: "[W]e have already addressed similar DLL search path vulnerability patterns through prior security updates. (...) Users are advised to use the latest version provided by the vendor."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-15
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-15
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2516
EUVD
EUVD-2026-5829
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
unidocs ezpdf_drm_reader 2.0
unidocs ezpdf_reader 2.0
unidocs ezpdf_drm_reader 3.0.0.4
unidocs ezpdf_reader 3.0.0.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2516 is an uncontrolled search path vulnerability affecting Unidocs ezPDF DRM Reader and ezPDF Reader versions 2.0 and 3.0.0.4 on 32-bit systems. The issue lies in the way the software loads the SHFOLDER.dll library without specifying a fully qualified path, causing the application to search for this DLL first in the Current Working Directory (CWD).

A local attacker with low privileges can exploit this by placing a malicious SHFOLDER.dll in the same directory as the installer. When the installer is run with administrative privileges, it loads and executes the malicious DLL with high integrity, resulting in arbitrary code execution with administrative rights.

The attack requires local access and involves privilege escalation from a low-privileged user to a high-privileged context. The vulnerability is complex to exploit but a proof-of-concept exploit is publicly available.

Impact Analysis

This vulnerability can lead to arbitrary code execution with administrative privileges on the affected system. An attacker can escalate their privileges from a low-privileged user to execute malicious code with high integrity.

The impact includes compromise of confidentiality, integrity, and availability of the system. This means sensitive data could be exposed or altered, system operations disrupted, and overall security undermined.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the DLL loading behavior of the vulnerable installers (ezPDF DRM Reader and ezPDF Reader 2.0/3.0.0.4) on a 32-bit system. Specifically, the issue involves the uncontrolled search path for the SHFOLDER.dll library, where the application loads DLLs from the Current Working Directory (CWD) without specifying a fully qualified path.'}, {'type': 'paragraph', 'content': "A practical detection method is to use Process Monitor (ProcMon) to trace DLL loading events when running the installer. Look for instances where SHFOLDER.dll is loaded from unexpected or user-controlled directories such as the installer's folder or the user's Downloads folder."}, {'type': 'paragraph', 'content': 'Suggested commands/tools for detection include:'}, {'type': 'list_item', 'content': 'Run Process Monitor (ProcMon) with filters set to monitor the installer process and DLL load events.'}, {'type': 'list_item', 'content': "Use PowerShell or command prompt to check for the presence of SHFOLDER.dll in the installer's directory or other user-writable directories before running the installer."}, {'type': 'list_item', 'content': "Example PowerShell command to check for SHFOLDER.dll in a directory: Get-ChildItem -Path 'C:\\Path\\To\\Installer' -Filter SHFOLDER.dll"}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include preventing the exploitation of the uncontrolled DLL search path by ensuring that no malicious SHFOLDER.dll exists in the same directory as the installer or other user-writable directories.'}, {'type': 'paragraph', 'content': "Since the vulnerability requires local access and the attacker to place a malicious DLL in the installer's directory, restricting write permissions to these directories for low-privileged users can reduce risk."}, {'type': 'paragraph', 'content': 'Other recommended actions are:'}, {'type': 'list_item', 'content': 'Do not run the vulnerable installers from untrusted or user-writable directories such as Downloads.'}, {'type': 'list_item', 'content': 'Run installers from trusted system directories or locations with restricted write access.'}, {'type': 'list_item', 'content': 'Consider replacing the affected software with alternative products, as no vendor patch or update is available.'}, {'type': 'list_item', 'content': 'Developers should implement mitigations such as calling SetDefaultDllDirectories to restrict DLL loading to system directories or use absolute paths when loading DLLs, but this requires vendor action.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart