CVE-2026-2538
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in Flos Freeware Notepad2 versions 4.2.22 through 4.2.25. Attackers can exploit uncontrolled search paths in Msimg32.dll to execute malicious code when Notepad2 is launched from a compromised directory. Only local attackers can exploit this vulnerability, requiring user interaction to run Notepad2 from a malicious location.
💻 Affected Systems
- Flos Freeware Notepad2
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could place a malicious DLL in a directory where Notepad2 is executed, leading to arbitrary code execution with the privileges of the user running Notepad2.
Likely Case
Limited impact due to high attack complexity and requirement for local access; most likely scenario involves targeted attacks where attackers can control execution environment.
If Mitigated
Minimal impact if users only run Notepad2 from trusted directories and maintain proper file permissions.
🎯 Exploit Status
Exploitation requires local access, ability to place malicious DLL in execution path, and user to run Notepad2 from that location. Public proof-of-concept exists on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None - vendor did not respond to disclosure
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available, or use alternative software.
🔧 Temporary Workarounds
Restrict execution locations
windowsOnly run Notepad2 from trusted directories and avoid executing from temporary or untrusted locations
Set DLL search order security
windowsConfigure Windows DLL search order to prioritize system directories
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1
🧯 If You Can't Patch
- Uninstall affected Notepad2 versions and use alternative text editors
- Implement application whitelisting to control where Notepad2 can be executed from
🔍 How to Verify
Check if Vulnerable:
Check Notepad2 version via Help > About menu; if version is 4.2.22, 4.2.23, 4.2.24, or 4.2.25, system is vulnerableCheck Version:
Notepad2.exe --version (if supported) or check Help > About in GUIVerify Fix Applied:
Verify Notepad2 has been updated to a version later than 4.2.25 or has been uninstalled📡 Detection & Monitoring
Log Indicators:
- Process creation events for Notepad2.exe from unusual directories
- DLL loading events for Msimg32.dll from non-system paths
Network Indicators:
- No network indicators - local-only vulnerability
SIEM Query:
Process Creation where Image contains "Notepad2.exe" and CurrentDirectory contains suspicious paths