CVE-2026-2516: ezPDF Reader Path Traversal Vulnerability

CVE-2026-2516 Overview

A DLL search path vulnerability has been identified in Unidocs ezPDF DRM Reader and ezPDF Reader affecting versions 2.0 and 3.0.0.4 on 32-bit Windows systems. The vulnerability exists within the application's handling of the SHFOLDER.dll library, where improper validation of the DLL search path allows an attacker to load a malicious DLL from an untrusted location. This is classified as CWE-426 (Untrusted Search Path), a vulnerability class that can lead to arbitrary code execution in the context of the vulnerable application.

Critical Impact
Local attackers with user-level privileges can exploit this DLL search path vulnerability to execute arbitrary code with the privileges of the ezPDF Reader application, potentially leading to complete system compromise.

Affected Products

Unidocs ezPDF DRM Reader (32-bit)
Unidocs ezPDF Reader 2.0 (32-bit)
Unidocs ezPDF Reader 3.0.0.4 (32-bit)

Discovery Timeline

2026-02-15 - CVE-2026-2516 published to NVD
2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-2516

Vulnerability Analysis

This vulnerability stems from an uncontrolled search path element (CWE-426) in the way ezPDF Reader loads the SHFOLDER.dll library. When the application attempts to load this DLL, it does not properly validate the search path, allowing an attacker to place a malicious DLL in a location that will be searched before the legitimate system directory.

The attack requires local access to the target system and involves placing a specially crafted malicious SHFOLDER.dll in a directory that precedes the legitimate Windows system directory in the DLL search order. When a user launches ezPDF Reader from that location or opens a PDF file associated with the vulnerable application, the malicious DLL is loaded instead of the legitimate system library.

The exploit for this vulnerability has been publicly disclosed, increasing the risk of active exploitation. The vendor was contacted about this vulnerability but did not respond, leaving users without an official patch.

Root Cause

The root cause of CVE-2026-2516 is improper DLL loading practices in the ezPDF Reader application. The software fails to specify a fully qualified path when loading SHFOLDER.dll, instead relying on the default Windows DLL search order. This allows attackers to hijack the DLL loading process by placing a malicious library in a directory that is searched before %SYSTEMROOT%\System32.

On 32-bit Windows systems, the default DLL search order typically includes the application's directory, the current working directory, and various system directories. By exploiting this behavior, an attacker can achieve code execution in the context of the vulnerable application.

Attack Vector

The attack vector for this vulnerability is local, requiring the attacker to have some level of access to the target system. The exploitation process involves:

The attacker creates a malicious SHFOLDER.dll containing arbitrary code
The malicious DLL is placed in a directory where ezPDF Reader will search for it (e.g., the application directory or a directory containing a PDF file)
When a user opens ezPDF Reader or a PDF document, the application loads the malicious DLL
The attacker's code executes with the privileges of the ezPDF Reader process

The attack complexity is high due to the need for precise placement of the malicious DLL and user interaction to trigger the vulnerability. However, social engineering techniques such as sending a ZIP archive containing both a PDF file and the malicious DLL could facilitate exploitation.

Detection Methods for CVE-2026-2516

Indicators of Compromise

Presence of unexpected SHFOLDER.dll files in application directories or user-writable locations outside of %SYSTEMROOT%\System32
Process creation events showing ezPDF Reader loading DLLs from non-standard locations
Suspicious DLL files with SHFOLDER.dll filename that have different file hashes than the legitimate Windows library
Unusual network connections or child processes spawned by ezPDF Reader

Detection Strategies

Monitor for DLL loading events where SHFOLDER.dll is loaded from paths other than the Windows System32 directory
Implement file integrity monitoring on ezPDF Reader installation directories to detect unauthorized DLL placement
Use endpoint detection and response (EDR) solutions to identify process injection or suspicious code execution following PDF file access
Deploy application whitelisting to prevent unauthorized DLLs from being loaded by ezPDF Reader

Monitoring Recommendations

Enable Windows Security Event logging for DLL loads (Event ID 7) and monitor for anomalous library paths
Configure SentinelOne behavioral AI to detect DLL sideloading patterns associated with document reader applications
Implement network segmentation to limit the impact of potential code execution
Review and audit file system permissions on directories where ezPDF Reader may search for DLLs

How to Mitigate CVE-2026-2516

Immediate Actions Required

Consider discontinuing use of ezPDF DRM Reader and ezPDF Reader until the vendor provides a security patch
Ensure users do not open PDF files from untrusted sources or extract archives containing PDF files alongside unknown DLL files
Implement application control policies to restrict DLL loading to trusted directories only
Deploy SentinelOne Singularity platform for real-time detection of DLL hijacking attempts

Patch Information

As of the last modification date (2026-02-18), no official patch is available from Unidocs. The vendor was contacted regarding this vulnerability but did not respond. Organizations should monitor the VulDB entry and vendor communications for updates on patch availability.

In the absence of an official fix, organizations are advised to implement compensating controls and consider alternative PDF reader solutions.

Workarounds

Remove or restrict write permissions on the ezPDF Reader application directory to prevent unauthorized DLL placement
Configure Windows DLL search order using SafeDllSearchMode registry setting to prioritize system directories
Use Windows Defender Application Control (WDAC) or AppLocker to restrict DLL loading to known-good libraries
Train users to avoid opening PDF files from untrusted sources, especially when delivered in archive formats

bash

# Registry configuration to enable SafeDllSearchMode (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f

# Verify the setting
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode

CVE-2026-2516 Overview

Critical Impact
Local attackers with user-level privileges can exploit this DLL search path vulnerability to execute arbitrary code with the privileges of the ezPDF Reader application, potentially leading to complete system compromise.

Affected Products

Unidocs ezPDF DRM Reader (32-bit)
Unidocs ezPDF Reader 2.0 (32-bit)
Unidocs ezPDF Reader 3.0.0.4 (32-bit)

Discovery Timeline

2026-02-15 - CVE-2026-2516 published to NVD
2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-2516

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector for this vulnerability is local, requiring the attacker to have some level of access to the target system. The exploitation process involves:

The attacker creates a malicious SHFOLDER.dll containing arbitrary code
The malicious DLL is placed in a directory where ezPDF Reader will search for it (e.g., the application directory or a directory containing a PDF file)
When a user opens ezPDF Reader or a PDF document, the application loads the malicious DLL
The attacker's code executes with the privileges of the ezPDF Reader process

Detection Methods for CVE-2026-2516

Indicators of Compromise

Presence of unexpected SHFOLDER.dll files in application directories or user-writable locations outside of %SYSTEMROOT%\System32
Process creation events showing ezPDF Reader loading DLLs from non-standard locations
Suspicious DLL files with SHFOLDER.dll filename that have different file hashes than the legitimate Windows library
Unusual network connections or child processes spawned by ezPDF Reader

Detection Strategies

Monitor for DLL loading events where SHFOLDER.dll is loaded from paths other than the Windows System32 directory
Implement file integrity monitoring on ezPDF Reader installation directories to detect unauthorized DLL placement
Use endpoint detection and response (EDR) solutions to identify process injection or suspicious code execution following PDF file access
Deploy application whitelisting to prevent unauthorized DLLs from being loaded by ezPDF Reader

Monitoring Recommendations

Enable Windows Security Event logging for DLL loads (Event ID 7) and monitor for anomalous library paths
Configure SentinelOne behavioral AI to detect DLL sideloading patterns associated with document reader applications
Implement network segmentation to limit the impact of potential code execution
Review and audit file system permissions on directories where ezPDF Reader may search for DLLs

How to Mitigate CVE-2026-2516

Immediate Actions Required

Consider discontinuing use of ezPDF DRM Reader and ezPDF Reader until the vendor provides a security patch
Ensure users do not open PDF files from untrusted sources or extract archives containing PDF files alongside unknown DLL files
Implement application control policies to restrict DLL loading to trusted directories only
Deploy SentinelOne Singularity platform for real-time detection of DLL hijacking attempts

Patch Information

In the absence of an official fix, organizations are advised to implement compensating controls and consider alternative PDF reader solutions.

Workarounds

Remove or restrict write permissions on the ezPDF Reader application directory to prevent unauthorized DLL placement
Configure Windows DLL search order using SafeDllSearchMode registry setting to prioritize system directories
Use Windows Defender Application Control (WDAC) or AppLocker to restrict DLL loading to known-good libraries
Train users to avoid opening PDF files from untrusted sources, especially when delivered in archive formats

bash

# Registry configuration to enable SafeDllSearchMode (run as Administrator)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f

# Verify the setting
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode

CVE-2026-2516: ezPDF Reader Path Traversal Vulnerability

CVE-2026-2516 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-2516

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-2516

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-2516

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-2516: ezPDF Reader Path Traversal Vulnerability

CVE-2026-2516 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-2516

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-2516

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-2516

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform