CVE-2026-25792
Binary Hijacking in Greenshot Allows Local Code Execution
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgreenshot | greenshot | to 1.3.312 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25792 is a vulnerability in the Greenshot Windows screenshot utility (versions 1.3.312 and below) where the application launches the Windows explorer.exe process without specifying its absolute path. This allows an attacker with local access and high privileges to place a malicious executable named explorer.exe in a location that is searched before the legitimate Windows binary. When the user double-clicks the Greenshot tray icon to open the folder containing the most recent screenshot, the application may execute the malicious executable instead of the legitimate one, leading to arbitrary code execution.
This vulnerability is a type of binary hijacking or untrusted executable search path issue (CWE-426). It requires user interaction (double-clicking the tray icon) and can be difficult to detect because the malicious executable can forward execution to the legitimate explorer.exe, maintaining normal application behavior.
How can this vulnerability impact me? :
The vulnerability allows a local attacker with high privileges to execute arbitrary code within the context of the Greenshot application. This can lead to privilege escalation if the application runs with elevated privileges.
Because the attacker can run malicious code disguised as a legitimate system process, they may gain unauthorized access to sensitive data, modify or delete files, or disrupt system availability.
The attack requires user interaction but can abuse a trusted user interface feature, making it a significant security risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the GreenShot application launches explorer.exe without using an absolute path, which allows binary hijacking. Detection involves verifying whether a malicious executable named explorer.exe exists in directories that are searched before the legitimate Windows system directory.
You can search for suspicious explorer.exe files in user-writable or application-controlled directories that precede the system directory in the executable search path.
- Use commands to locate explorer.exe files outside the legitimate Windows system folder, for example on Windows PowerShell:
- Get-ChildItem -Path C:\Users\*\AppData\Local\* -Filter explorer.exe -Recurse
- Search common directories in the PATH environment variable for unexpected explorer.exe files.
- Check the GreenShot process or logs to see if it launches explorer.exe without an absolute path.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves ensuring that the GreenShot application launches system executables using fully qualified absolute paths to prevent binary hijacking.
Since no patch was available at the time of publication, you should restrict write permissions on directories that are searched before the system directory to prevent placing malicious executables.
Avoid running GreenShot with elevated privileges to reduce the impact of potential code execution.
Educate users to be cautious when double-clicking the GreenShot tray icon, as this triggers the vulnerable behavior.
Monitor for suspicious explorer.exe executions originating from non-standard locations.