Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33156 is a high-severity DLL sideloading vulnerability in ScreenToGif versions up to and including 2.42.1. The application, which is primarily distributed as a portable tool intended to run from user-writable directories, improperly loads the DLL file "version.dll" from its own application directory instead of the Windows System32 directory.'}, {'type': 'paragraph', 'content': 'This behavior allows an attacker to place a malicious version.dll in the same directory as the executable. When the application runs, it loads this malicious DLL, enabling arbitrary code execution within the context of the current user.'}, {'type': 'paragraph', 'content': 'The vulnerability arises due to the use of an untrusted search path (CWE-426) and an uncontrolled search path element (CWE-427), which lets attackers control which DLL is loaded by the application.'}, {'type': 'paragraph', 'content': 'The malicious DLL can forward legitimate calls to maintain normal application functionality while executing malicious code, allowing persistence by residing in the portable app directory.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code with the privileges of the current user running ScreenToGif. Because the attack requires only local access and user interaction, it has a low attack complexity and does not require elevated privileges.

The impact includes high risks to confidentiality, integrity, and availability of the affected system. An attacker could compromise sensitive data, alter or destroy information, and disrupt system operations.

Since ScreenToGif is often run from user-writable directories, the attacker can maintain persistence by placing the malicious DLL alongside the application.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the ScreenToGif executable is running from a user-writable directory and if a malicious version.dll file exists in the same directory as the executable.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves DLL sideloading via version.dll, you can look for suspicious version.dll files located alongside the ScreenToGif executable instead of the legitimate version.dll in the Windows System32 directory.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect this condition on a Windows system include:'}, {'type': 'list_item', 'content': 'Use PowerShell to find ScreenToGif executables running from writable directories: Get-Process -Name ScreenToGif | Select-Object Path'}, {'type': 'list_item', 'content': 'Check for version.dll files in the same directory as the executable: Get-ChildItem -Path "<path_to_ScreenToGif_directory>" -Filter version.dll'}, {'type': 'list_item', 'content': 'Verify the file properties and digital signature of version.dll files found to identify potentially malicious versions.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding running the portable ScreenToGif application from user-writable directories to prevent loading a malicious version.dll.

Run ScreenToGif from a trusted, non-writable directory such as a system or program files folder where users do not have write permissions.

Remove any suspicious version.dll files located in the same directory as the ScreenToGif executable.

Monitor and restrict write permissions on directories where ScreenToGif is executed to prevent attackers from placing malicious DLLs.

Since no patches are available at the time of the advisory, these steps are critical to reduce the risk of arbitrary code execution.

Useful 0 Not Useful 0