CVE-2026-2538 Overview
A DLL hijacking vulnerability has been discovered in Flos Freeware Notepad2, a popular lightweight text editor. The vulnerability exists due to an uncontrolled search path element affecting the Msimg32.dll library. An attacker with local access can exploit this flaw to execute arbitrary code by placing a malicious DLL in the application's search path.
Critical Impact
Local attackers can achieve arbitrary code execution with the privileges of the Notepad2 process by exploiting the DLL search order hijacking vulnerability in Msimg32.dll.
Affected Products
- Flos Freeware Notepad2 4.2.22
- Flos Freeware Notepad2 4.2.23
- Flos Freeware Notepad2 4.2.24
- Flos Freeware Notepad2 4.2.25
Discovery Timeline
- 2026-02-16 - CVE CVE-2026-2538 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-2538
Vulnerability Analysis
This vulnerability is classified as CWE-426 (Untrusted Search Path), which occurs when an application loads a DLL from a location that could be under attacker control. In this case, Notepad2 attempts to load Msimg32.dll using an insecure search path mechanism, allowing an attacker to place a malicious DLL with the same name in a directory that is searched before the legitimate system directory.
The attack requires local access to the system and exploitation complexity is considered high. However, successful exploitation can lead to complete compromise of confidentiality, integrity, and availability within the context of the application. The vendor was contacted regarding this vulnerability but did not respond.
Root Cause
The root cause is an uncontrolled search path element (CWE-426) in Notepad2's DLL loading mechanism. When the application starts, it searches for Msimg32.dll following the Windows DLL search order. If an attacker can place a malicious DLL in the application's working directory or another directory that precedes the system directory in the search path, the malicious DLL will be loaded instead of the legitimate system library.
Attack Vector
This is a local attack vector requiring the attacker to have the ability to write files to directories within the application's DLL search path. The attacker must place a crafted malicious Msimg32.dll in a location where it will be found before the legitimate Windows system DLL.
The exploitation involves creating a malicious DLL named Msimg32.dll that contains attacker-controlled code. When Notepad2 is launched, it inadvertently loads this malicious library, executing the attacker's payload with the same privileges as the Notepad2 process. Additional technical details can be found in the GitHub DLL Hijacking Report.
Detection Methods for CVE-2026-2538
Indicators of Compromise
- Presence of Msimg32.dll in the Notepad2 installation directory or the directory from which Notepad2 is executed
- Unexpected DLL files in user-writable directories alongside Notepad2 executable
- Process execution anomalies when Notepad2 loads unusual modules
Detection Strategies
- Monitor for DLL loading events from Notepad2 where Msimg32.dll is loaded from non-system directories
- Implement application whitelisting to detect and block unauthorized DLLs
- Deploy endpoint detection rules that alert on DLL sideloading patterns in text editor applications
Monitoring Recommendations
- Enable detailed Windows Security Event logging for module load events (Event ID 7)
- Monitor file system changes in Notepad2 installation directories
- Utilize SentinelOne's behavioral AI to detect anomalous DLL loading patterns indicating hijacking attempts
How to Mitigate CVE-2026-2538
Immediate Actions Required
- Avoid running Notepad2 from user-writable directories or network shares
- Ensure Notepad2 is executed only from protected installation directories with restricted write permissions
- Consider using alternative text editors until a patch is released by the vendor
Patch Information
No official patch is currently available. The vendor was contacted early about this disclosure but did not respond in any way. Users should monitor the VulDB entry and vendor channels for any future security updates.
Workarounds
- Run Notepad2 from a directory with restricted write permissions (e.g., C:\Program Files\)
- Remove write permissions for non-administrators from the Notepad2 installation directory
- Deploy application control solutions to prevent loading of unauthorized DLLs
- Consider using SentinelOne's application control features to restrict DLL loading behavior
# Restrict write permissions on Notepad2 directory (run as Administrator)
icacls "C:\Program Files\Notepad2" /inheritance:r /grant:r Administrators:F /grant:r "SYSTEM":F /grant:r Users:RX
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
