CVE-2022-32168 Overview
CVE-2022-32168 is a DLL hijacking vulnerability affecting Notepad++ versions 8.4.1 and earlier. The application loads UxTheme.dll and DBGHELP.DLL using the unsafe LoadLibrary Windows API without specifying a fully qualified path or restricting the search to the system directory. An attacker who places a malicious DLL with the same name in a directory searched before System32 can execute arbitrary code in the context of the Notepad++ process. The flaw is tracked as CWE-427: Uncontrolled Search Path Element.
Critical Impact
Successful exploitation allows arbitrary code execution within the Notepad++ process, leading to high impact on confidentiality, integrity, and availability of the local system.
Affected Products
- Notepad++ versions prior to 8.4.2
- Notepad++ 8.4.1 (confirmed vulnerable)
- Windows installations of Notepad++ where UxTheme.dll or DBGHELP.DLL can be loaded from a writable directory
Discovery Timeline
- 2022-09-28 - CVE-2022-32168 published to NVD
- 2025-05-21 - Last updated in NVD database
Technical Details for CVE-2022-32168
Vulnerability Analysis
Notepad++ invokes the Windows LoadLibrary API to dynamically load supporting libraries at runtime. When LoadLibrary receives only a module name without a fully qualified path, Windows follows its standard DLL search order. That order includes the application's launch directory before System32. An attacker who can drop a crafted UxTheme.dll next to notepad++.exe, or in any other directory that appears earlier in the search order, causes the attacker-controlled DLL to load instead of the legitimate Windows component.
Once loaded, the malicious DLL's DllMain executes inside the Notepad++ process. Code runs with the privileges of the user running the editor. This enables persistence, credential theft from the user session, or lateral payload staging. The attack requires user interaction, since the victim must launch Notepad++ from the poisoned directory.
Root Cause
The root cause is the use of LoadLibrary(TEXT("uxtheme.dll")) and LoadLibrary(TEXT("DBGHELP.DLL")) without restricting the search path. Windows resolves these names through the default DLL search order, which includes user-writable locations. The fix replaces these calls with LoadLibraryEx using the LOAD_LIBRARY_SEARCH_SYSTEM32 flag.
Attack Vector
The attacker plants a malicious UxTheme.dll or DBGHELP.DLL in the Notepad++ application directory or any directory that precedes System32 in the DLL search order. Common vectors include shared network folders, USB media, or archives extracted into a directory that also contains notepad++.exe. When the user launches Notepad++ from that directory, the planted DLL is loaded.
// Vulnerable code (PowerEditor/src/Parameters.cpp) - pre-patch
_hUXTheme = ::LoadLibrary(TEXT("uxtheme.dll"));
// Patched code - restricts search to System32
_hUXTheme = ::LoadLibraryEx(TEXT("uxtheme.dll"), nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32);
if (_hUXTheme)
_enableThemeDialogTextureFuncAddr = (WNDPROC)::GetProcAddress(_hUXTheme, "EnableThemeDialogTexture");
// Vulnerable code (PowerEditor/src/MISC/Exception/MiniDumper.cpp) - pre-patch
HMODULE hDll = ::LoadLibrary( TEXT("DBGHELP.DLL") );
// Patched code
HMODULE hDll = ::LoadLibraryEx(TEXT("DBGHELP.DLL"), nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32);
Source: Notepad++ commit 85d7215d
Detection Methods for CVE-2022-32168
Indicators of Compromise
- Presence of uxtheme.dll or DBGHELP.DLL files in the Notepad++ installation directory or any user-writable directory alongside notepad++.exe
- Unsigned or non-Microsoft signed copies of uxtheme.dll or DBGHELP.DLL loaded by the notepad++.exe process
- Module load events for uxtheme.dll or DBGHELP.DLL from paths outside C:\Windows\System32
- Unexpected child processes spawned by notepad++.exe, such as cmd.exe, powershell.exe, or rundll32.exe
Detection Strategies
- Monitor Windows Sysmon Event ID 7 (Image Loaded) for notepad++.exe loading DLLs from non-system paths
- Hunt for file write events that drop uxtheme.dll or DBGHELP.DLL into directories containing notepad++.exe
- Use endpoint telemetry to correlate Notepad++ launches with subsequent suspicious process creation or network activity
- Flag binaries named after known Windows system DLLs that are signed by a non-Microsoft publisher
Monitoring Recommendations
- Enable command-line and module-load auditing on all endpoints where Notepad++ is installed
- Establish a baseline of legitimate DLLs loaded by notepad++.exe and alert on deviations
- Audit shared network drives and removable media staging locations where users commonly run portable applications
How to Mitigate CVE-2022-32168
Immediate Actions Required
- Upgrade Notepad++ to version 8.4.2 or later, which incorporates commit 85d7215d
- Inventory endpoints to identify outdated Notepad++ installations, including portable copies on shared drives
- Remove any uxtheme.dll or DBGHELP.DLL files found in non-system directories adjacent to notepad++.exe
- Restrict write access to the Notepad++ installation directory to administrators only
Patch Information
The upstream fix is in the Notepad++ commit 85d7215d. The patch replaces LoadLibrary calls for uxtheme.dll and DBGHELP.DLL with LoadLibraryEx using the LOAD_LIBRARY_SEARCH_SYSTEM32 flag, ensuring the libraries are loaded only from the system directory. Additional context is available in the Mend CVE-2022-32168 advisory.
Workarounds
- Avoid launching Notepad++ from untrusted or user-writable directories such as Downloads, removable media, or extracted archives
- Apply Microsoft's CWDIllegalInDllSearch registry setting to remove the current working directory from the DLL search path
- Enforce application allowlisting via Windows Defender Application Control or AppLocker to block unsigned DLLs from loading into trusted processes
- Run Notepad++ from a protected installation path such as C:\Program Files\Notepad++\ where standard users cannot write
# Verify Notepad++ version on Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Notepad++" | Select-Object DisplayName, DisplayVersion
# Search for rogue DLLs adjacent to notepad++.exe
Get-ChildItem -Path "C:\" -Recurse -Include uxtheme.dll,DBGHELP.DLL -ErrorAction SilentlyContinue |
Where-Object { $_.DirectoryName -notlike "C:\Windows\System32*" -and (Test-Path (Join-Path $_.DirectoryName "notepad++.exe")) }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
