CVE-2026-2538
Unknown Unknown - Not Provided
Uncontrolled Search Path Vulnerability in Notepad2 Msimg32.dll

Publication date: 2026-02-16

Last updated on: 2026-02-16

Assigner: VulDB

Description
A security flaw has been discovered in Flos Freeware Notepad2 4.2.22/4.2.23/4.2.24/4.2.25. Affected is an unknown function in the library Msimg32.dll. Performing a manipulation results in uncontrolled search path. Attacking locally is a requirement. The attack's complexity is rated as high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-02-16
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2538
EUVD
EUVD-2026-6122
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
flos freeware_notepad2 4.2.22
flos freeware_notepad2 4.2.23
flos freeware_notepad2 4.2.24
flos freeware_notepad2 4.2.25
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2538 is a critical security vulnerability in Flos Freeware Notepad2 versions 4.2.22 through 4.2.25. It involves an uncontrolled search path issue in the Msimg32.dll library, where the application searches for this DLL in the directory from which it is launched. An attacker with local access can place a malicious Msimg32.dll file in the same folder as the Notepad2 executable. When Notepad2 starts, it will load and execute this malicious DLL automatically.

This DLL hijacking allows the attacker to execute arbitrary code with the same privileges as the user running Notepad2, potentially compromising system security.

Impact Analysis

This vulnerability can impact you by allowing an attacker with local access to execute arbitrary code on your system with your user privileges. This can lead to unauthorized access, modification, or destruction of data, as well as disruption of system availability.

  • Compromise of system confidentiality by unauthorized data access.
  • Integrity violations through unauthorized modification of system or application files.
  • Availability issues caused by malicious code execution affecting system or application stability.

Because the attack requires local access and has high complexity, remote exploitation is not possible, but if exploited, the impact is severe.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves DLL hijacking by placing a malicious Msimg32.dll in the same directory as the Notepad2 executable. Detection involves checking the Notepad2 execution directory for unexpected or suspicious Msimg32.dll files.'}, {'type': 'paragraph', 'content': 'You can detect the vulnerability by verifying if any unauthorized Msimg32.dll files exist in the Notepad2 program folder. Since the attack requires local access and manipulation of the DLL in the executable directory, inspecting that directory is key.'}, {'type': 'list_item', 'content': 'On Windows, use the command: dir /b /a "C:\\Path\\To\\Notepad2\\Msimg32.dll" to check if the DLL exists in the Notepad2 folder.'}, {'type': 'list_item', 'content': 'Use PowerShell to get the file hash and verify its legitimacy: Get-FileHash -Path "C:\\Path\\To\\Notepad2\\Msimg32.dll"'}, {'type': 'list_item', 'content': 'Monitor process loading behavior with tools like Process Monitor (ProcMon) to see if Notepad2 loads Msimg32.dll from its own directory.'}] [2]

Mitigation Strategies

There are no known countermeasures or mitigations provided by the vendor for this vulnerability.

The recommended immediate step is to replace the affected Notepad2 versions (4.2.22 through 4.2.25) with an alternative, unaffected software product.

Additionally, ensure that the Notepad2 execution directory does not contain any unauthorized Msimg32.dll files to prevent DLL hijacking.

Restrict local user permissions to prevent unauthorized file placement in application directories.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2538. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart