CVE-2026-23512
📋 TL;DR
SumatraPDF versions 3.5.2 and earlier contain an untrusted search path vulnerability that allows arbitrary code execution. When users trigger the Advanced Options setting, the application executes notepad.exe without specifying an absolute path, enabling attackers to place a malicious notepad.exe in the installation directory. This affects all Windows users running vulnerable versions of SumatraPDF.
💻 Affected Systems
- SumatraPDF
📦 What is this software?
Sumatrapdf by Sumatrapdfreader
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the user running SumatraPDF, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation where an attacker with write access to the installation directory can execute arbitrary code when a user opens Advanced Options, potentially stealing documents or credentials.
If Mitigated
Limited impact with proper file permissions preventing unauthorized writes to the installation directory and user awareness preventing execution of suspicious files.
🎯 Exploit Status
Exploitation requires write access to SumatraPDF installation directory and user interaction to trigger Advanced Options. No public exploit code has been published.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.3 and later
Vendor Advisory: https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv
Restart Required: No
Instructions:
1. Download latest version from official SumatraPDF website
2. Uninstall current version
3. Install new version
4. Verify version is 3.5.3 or higher
🔧 Temporary Workarounds
Restrict installation directory permissions
windowsSet file permissions on SumatraPDF installation directory to prevent unauthorized writes
icacls "C:\Program Files\SumatraPDF" /deny Users:(OI)(CI)W
Disable Advanced Options feature
windowsRemove or restrict access to Advanced Options setting through group policy or configuration
🧯 If You Can't Patch
- Restrict write permissions on SumatraPDF installation directory to administrators only
- Monitor for suspicious file creation in SumatraPDF directory and block execution of notepad.exe from that location
🔍 How to Verify
Check if Vulnerable:
Check SumatraPDF version in Help > About menu. If version is 3.5.2 or earlier, system is vulnerable.Check Version:
SumatraPDF.exe --version or check Help > About in the applicationVerify Fix Applied:
After updating, verify version is 3.5.3 or higher in Help > About menu. Test Advanced Options functionality to ensure it still works properly.📡 Detection & Monitoring
Log Indicators:
- Process creation events for notepad.exe from SumatraPDF directory
- File creation events for notepad.exe in SumatraPDF installation path
Network Indicators:
- Unusual outbound connections following notepad.exe execution from SumatraPDF directory
SIEM Query:
ProcessName="notepad.exe" AND ProcessPath contains "SumatraPDF" AND ParentProcessName="SumatraPDF.exe"