CVE-2026-2538
Uncontrolled Search Path Vulnerability in Notepad2 Msimg32.dll
Publication date: 2026-02-16
Last updated on: 2026-02-16
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flos | freeware_notepad2 | 4.2.22 |
| flos | freeware_notepad2 | 4.2.23 |
| flos | freeware_notepad2 | 4.2.24 |
| flos | freeware_notepad2 | 4.2.25 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2538 is a critical security vulnerability in Flos Freeware Notepad2 versions 4.2.22 through 4.2.25. It involves an uncontrolled search path issue in the Msimg32.dll library, where the application searches for this DLL in the directory from which it is launched. An attacker with local access can place a malicious Msimg32.dll file in the same folder as the Notepad2 executable. When Notepad2 starts, it will load and execute this malicious DLL automatically.
This DLL hijacking allows the attacker to execute arbitrary code with the same privileges as the user running Notepad2, potentially compromising system security.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with local access to execute arbitrary code on your system with your user privileges. This can lead to unauthorized access, modification, or destruction of data, as well as disruption of system availability.
- Compromise of system confidentiality by unauthorized data access.
- Integrity violations through unauthorized modification of system or application files.
- Availability issues caused by malicious code execution affecting system or application stability.
Because the attack requires local access and has high complexity, remote exploitation is not possible, but if exploited, the impact is severe.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves DLL hijacking by placing a malicious Msimg32.dll in the same directory as the Notepad2 executable. Detection involves checking the Notepad2 execution directory for unexpected or suspicious Msimg32.dll files.'}, {'type': 'paragraph', 'content': 'You can detect the vulnerability by verifying if any unauthorized Msimg32.dll files exist in the Notepad2 program folder. Since the attack requires local access and manipulation of the DLL in the executable directory, inspecting that directory is key.'}, {'type': 'list_item', 'content': 'On Windows, use the command: dir /b /a "C:\\Path\\To\\Notepad2\\Msimg32.dll" to check if the DLL exists in the Notepad2 folder.'}, {'type': 'list_item', 'content': 'Use PowerShell to get the file hash and verify its legitimacy: Get-FileHash -Path "C:\\Path\\To\\Notepad2\\Msimg32.dll"'}, {'type': 'list_item', 'content': 'Monitor process loading behavior with tools like Process Monitor (ProcMon) to see if Notepad2 loads Msimg32.dll from its own directory.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
There are no known countermeasures or mitigations provided by the vendor for this vulnerability.
The recommended immediate step is to replace the affected Notepad2 versions (4.2.22 through 4.2.25) with an alternative, unaffected software product.
Additionally, ensure that the Notepad2 execution directory does not contain any unauthorized Msimg32.dll files to prevent DLL hijacking.
Restrict local user permissions to prevent unauthorized file placement in application directories.