CVE-2026-2516
📋 TL;DR
This vulnerability in Unidocs ezPDF DRM Reader and ezPDF Reader allows local attackers to exploit an uncontrolled search path issue in SHFOLDER.dll, potentially enabling arbitrary code execution. It affects users of the 32-bit versions of these PDF readers on Windows systems. The attack requires local access and is complex to execute.
💻 Affected Systems
- Unidocs ezPDF DRM Reader
- Unidocs ezPDF Reader
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise via arbitrary code execution as the current user.
Likely Case
Limited impact due to high exploitation complexity and local-only requirement; potential for malware persistence or data theft.
If Mitigated
Minimal impact with proper user privilege restrictions and application whitelisting in place.
🎯 Exploit Status
Exploit is publicly available but requires local access and complex manipulation; vendor unresponsive.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available - vendor did not respond to disclosure
Restart Required: No
Instructions:
No official patch available. Consider upgrading to newer versions if available or discontinuing use.
🔧 Temporary Workarounds
Remove vulnerable DLL
windowsRemove or rename SHFOLDER.dll from the application directory to prevent exploitation
del "C:\Program Files\ezPDF Reader\SHFOLDER.dll"
ren "C:\Program Files\ezPDF Reader\SHFOLDER.dll" SHFOLDER.dll.bak
Restrict application execution
windowsUse application control policies to restrict execution of vulnerable versions
🧯 If You Can't Patch
- Uninstall affected software versions and replace with alternative PDF readers
- Implement strict user privilege controls to limit local attack surface
🔍 How to Verify
Check if Vulnerable:
Check installed version of ezPDF Reader (2.0-3.0.0.4) and verify 32-bit architectureCheck Version:
Check application properties or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Unidocs\ezPDF ReaderVerify Fix Applied:
Verify SHFOLDER.dll is removed/renamed or application is uninstalled📡 Detection & Monitoring
Log Indicators:
- Unexpected process creation from ezPDF Reader directory
- Failed DLL loading attempts for SHFOLDER.dll
Network Indicators:
- None - local-only vulnerability
SIEM Query:
Process Creation where Image contains 'ezPDF' and CommandLine contains unusual parameters