CVE-2026-23512 Overview
SumatraPDF is a popular multi-format document reader for Windows. A critical Untrusted Search Path vulnerability (CWE-426) exists in version 3.5.2 and earlier that allows arbitrary code execution when a user triggers the Advanced Options setting. The application executes notepad.exe without specifying an absolute path, enabling attackers to place a malicious notepad.exe in the application's installation directory for execution with the user's privileges.
Critical Impact
Attackers can achieve arbitrary code execution on Windows systems by exploiting the insecure executable path resolution when users access Advanced Options in SumatraPDF, potentially leading to complete system compromise.
Affected Products
- SumatraPDF version 3.5.2 and earlier
- Windows installations of SumatraPDF with user-writable installation directories
Discovery Timeline
- 2026-01-14 - CVE-2026-23512 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2026-23512
Vulnerability Analysis
This vulnerability falls under CWE-426 (Untrusted Search Path), which occurs when an application searches for resources in untrusted directories before secure system locations. In this case, SumatraPDF's Advanced Options functionality invokes notepad.exe using a relative path rather than the fully qualified system path (e.g., C:\Windows\System32\notepad.exe).
Windows employs a specific search order for executable resolution. When an application calls an executable without an absolute path, Windows first searches the application's directory before checking system paths. This behavior creates an exploitation opportunity where an attacker can place a malicious executable named notepad.exe in SumatraPDF's installation directory.
Root Cause
The root cause is the insecure invocation of notepad.exe without specifying the complete absolute path to the Windows system executable. The application relies on Windows' default search path behavior, which prioritizes the current working directory and application directory over secure system locations. This design flaw allows binary planting attacks when the installation directory is writable by standard users or when attackers have prior access to the system.
Attack Vector
The attack requires local access and user interaction. An attacker must:
- Gain write access to the SumatraPDF installation directory (either through prior compromise, social engineering, or if the directory has insecure permissions)
- Place a malicious executable named notepad.exe in this directory
- Wait for or convince the victim to access the Advanced Options feature in SumatraPDF
When the user triggers Advanced Options, the malicious notepad.exe executes instead of the legitimate Windows Notepad, running with the privileges of the current user. This could enable malware execution, credential theft, or further system compromise.
The vulnerability mechanism involves Windows executable search order exploitation. When SumatraPDF calls notepad.exe without a full path, Windows searches directories in a specific order, starting with the application's own directory. An attacker-supplied malicious binary in this location takes precedence over the legitimate system executable. For technical implementation details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-23512
Indicators of Compromise
- Presence of notepad.exe in the SumatraPDF installation directory (typically C:\Program Files\SumatraPDF\ or user-specific installation paths)
- Unexpected process execution chains where SumatraPDF spawns processes other than the legitimate Windows Notepad
- File creation or modification events in the SumatraPDF installation directory involving executable files
Detection Strategies
- Monitor for executable files created in application installation directories that match common Windows system executable names (e.g., notepad.exe, calc.exe)
- Implement application whitelisting or software restriction policies to prevent unauthorized executables from running in application directories
- Deploy endpoint detection rules to alert on process creation events where the parent process is SumatraPDF.exe and the child process path does not match the expected Windows system directory
Monitoring Recommendations
- Configure file integrity monitoring for the SumatraPDF installation directory to detect unauthorized changes
- Review process execution logs for anomalous parent-child process relationships involving SumatraPDF
- Enable Windows Security Event logging for process creation (Event ID 4688) with command line auditing to capture suspicious execution patterns
How to Mitigate CVE-2026-23512
Immediate Actions Required
- Update SumatraPDF to the latest patched version that addresses this vulnerability
- Audit the SumatraPDF installation directory for any unexpected executable files and remove any suspicious binaries
- Restrict write permissions on the SumatraPDF installation directory to administrators only
- Consider implementing application control policies to prevent execution of unauthorized binaries
Patch Information
The vulnerability has been addressed in a code commit by the SumatraPDF development team. The fix modifies the application to use an absolute path when invoking Notepad, preventing the untrusted search path exploitation. Review the GitHub commit for technical details of the fix.
Users should update to the latest version of SumatraPDF available from the official website or GitHub releases page.
Workarounds
- Remove write permissions for non-administrator users from the SumatraPDF installation directory using Windows ACLs
- Avoid using the Advanced Options feature in vulnerable versions until the patch is applied
- Deploy endpoint protection solutions that detect and block binary planting attacks in application directories
- Implement Windows Defender Application Control (WDAC) or AppLocker policies to restrict executable loading to trusted directories
# Windows PowerShell - Restrict write access to SumatraPDF directory
# Run as Administrator
$sumatraPath = "C:\Program Files\SumatraPDF"
$acl = Get-Acl $sumatraPath
$acl.SetAccessRuleProtection($true, $false)
$adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$usersRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Users","ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($adminRule)
$acl.AddAccessRule($usersRule)
Set-Acl $sumatraPath $acl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
