The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33156

CVE-2026-33156: ScreenToGif DLL Sideloading RCE Vulnerability

CVE-2026-33156 is a DLL sideloading RCE flaw in ScreenToGif that enables arbitrary code execution when run from user-writable directories. This article covers technical details, affected versions, impact, and mitigation.

Published: March 27, 2026

CVE-2026-33156 Overview

CVE-2026-33156 is a DLL sideloading vulnerability affecting ScreenToGif, a popular screen recording tool. In versions from 2.42.1 and prior, the application is vulnerable to DLL sideloading via version.dll. When the portable executable is run from a user-writable directory, it loads version.dll from the application directory instead of the Windows System32 directory, allowing arbitrary code execution in the user's context.

Critical Impact

This vulnerability enables arbitrary code execution through DLL sideloading when ScreenToGif is run from user-writable locations—the default deployment method for this portable application.

Affected Products

  • ScreenToGif versions 2.42.1 and prior
  • Portable executable deployments in user-writable directories
  • Windows systems running the vulnerable application versions

Discovery Timeline

  • 2026-03-20 - CVE CVE-2026-33156 published to NVD
  • 2026-03-23 - Last updated in NVD database

Technical Details for CVE-2026-33156

Vulnerability Analysis

This vulnerability is classified under CWE-426 (Untrusted Search Path), which occurs when an application searches for libraries or executables in directories that may be under attacker control before searching in trusted system locations. The vulnerability is particularly severe in this case because ScreenToGif is primarily distributed as a portable application specifically designed to run from user-writable locations such as the Downloads folder or Desktop.

When the application executes, Windows follows its standard DLL search order. Because ScreenToGif loads version.dll without specifying the full system path, an attacker who places a malicious version.dll in the same directory as the ScreenToGif executable can achieve code execution with the privileges of the user running the application.

Root Cause

The root cause stems from the application's failure to use secure DLL loading practices. Instead of explicitly loading version.dll from the %SystemRoot%\System32 directory using an absolute path, the application relies on the default Windows DLL search order. This search order checks the application's directory before the System32 directory, creating an opportunity for DLL hijacking.

The vulnerability is exacerbated by the application's portable nature—users are expected to run it from user-writable locations where attackers could potentially place malicious DLL files through social engineering, drive-by downloads, or other attack vectors.

Attack Vector

The attack requires local access and user interaction. An attacker must place a malicious version.dll file in the same directory as the ScreenToGif executable before the victim launches the application. Attack scenarios include:

  1. An attacker convinces a user to download a "bundled" version of ScreenToGif containing a malicious DLL
  2. A malicious DLL is placed in the user's Downloads folder where ScreenToGif may be executed
  3. A compromised shared network location hosts both the application and the malicious DLL

When the user executes ScreenToGif, the malicious version.dll is loaded and executed with the user's privileges, potentially allowing persistent access, data exfiltration, or further lateral movement.

The vulnerability involves version.dll being loaded from an untrusted path. When ScreenToGif starts, it attempts to load version.dll following Windows DLL search order. If a malicious DLL with that name exists in the application directory, it will be loaded before the legitimate system DLL. The malicious DLL can then execute arbitrary code within the context of the ScreenToGif process. For detailed technical information, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-33156

Indicators of Compromise

  • Presence of version.dll files in user-writable directories alongside ScreenToGif.exe
  • Unexpected DLL files in Downloads, Desktop, or temporary directories where ScreenToGif may be executed
  • Process execution anomalies where ScreenToGif.exe spawns unexpected child processes or network connections
  • File hash mismatches for version.dll when compared against legitimate Windows system DLLs

Detection Strategies

  • Monitor for DLL loading events where version.dll is loaded from non-system directories using Sysmon Event ID 7 (Image Loaded)
  • Implement application whitelisting policies to prevent execution of unsigned or untrusted DLLs
  • Deploy endpoint detection and response (EDR) solutions capable of detecting DLL sideloading patterns
  • Create YARA rules to detect known malicious DLL payloads that may exploit this vulnerability

Monitoring Recommendations

  • Enable Windows Defender Attack Surface Reduction (ASR) rules for blocking untrusted and unsigned processes
  • Configure audit policies to log DLL loading events from user-writable directories
  • Monitor for file creation events involving version.dll in non-system paths
  • Implement behavioral analysis to detect anomalous activity following ScreenToGif execution

How to Mitigate CVE-2026-33156

Immediate Actions Required

  • Avoid running ScreenToGif from user-writable directories such as Downloads, Desktop, or temporary folders
  • Move ScreenToGif to a protected directory (e.g., C:\Program Files) where standard users cannot write files
  • Verify the integrity of any DLL files present in directories containing ScreenToGif
  • Consider using alternative screen recording tools until a patch is available

Patch Information

At the time of publication, there are no publicly available patches for this vulnerability. Users should monitor the GitHub Security Advisory for updates on remediation efforts.

Workarounds

  • Install ScreenToGif in a directory requiring administrative privileges to modify (e.g., C:\Program Files\ScreenToGif)
  • Implement folder permissions that prevent non-administrative users from writing to the ScreenToGif installation directory
  • Use Windows Defender Application Control (WDAC) or AppLocker policies to restrict DLL loading from user-writable paths
  • Consider running ScreenToGif in a sandboxed environment or virtual machine for sensitive operations
bash
# Move ScreenToGif to a protected directory and restrict permissions
mkdir "C:\Program Files\ScreenToGif"
copy "ScreenToGif.exe" "C:\Program Files\ScreenToGif\"
icacls "C:\Program Files\ScreenToGif" /inheritance:r /grant:r "BUILTIN\Administrators:(OI)(CI)F" /grant:r "BUILTIN\Users:(OI)(CI)RX"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechScreentogif
  • SeverityHIGH
  • CVSS Score7.8
  • EPSS Probability0.02%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-426
  • Technical References
  • GitHub Security Advisory
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English