CVE-2026-4545 Overview
A security flaw has been discovered in Flos Freeware Notepad2 4.2.25. This affects an unknown function in the library PROPSYS.dll. Performing a manipulation results in an uncontrolled search path vulnerability (CWE-426). The attack requires local access and is considered to have high complexity, making exploitability difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Critical Impact
Local attackers with access to the system could potentially hijack the DLL loading mechanism in Notepad2 to execute arbitrary code with the privileges of the affected application user.
Affected Products
- Flos Freeware Notepad2 version 4.2.25
- Windows systems with PROPSYS.dll dependency
Discovery Timeline
- 2026-03-22 - CVE CVE-2026-4545 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-4545
Vulnerability Analysis
This vulnerability is classified as an Uncontrolled Search Path Element (CWE-426). The flaw exists within the DLL loading mechanism of Flos Freeware Notepad2 4.2.25, specifically involving the PROPSYS.dll library. When the application attempts to load this DLL, it follows Windows' standard DLL search order without properly validating or restricting the search path.
An attacker with local system access could exploit this by placing a malicious DLL file named PROPSYS.dll in a directory that is searched before the legitimate system directory. When Notepad2 launches and attempts to load the library, it could inadvertently load the attacker's malicious DLL instead of the legitimate Windows system library.
Root Cause
The root cause of this vulnerability is the application's failure to implement secure DLL loading practices. Notepad2 does not use absolute paths when loading the PROPSYS.dll library and does not employ Windows security mechanisms such as SetDllDirectory("") or LoadLibraryEx with LOAD_LIBRARY_SEARCH_SYSTEM32 flag to restrict DLL search paths. This allows the application to search through potentially attacker-controlled directories before finding the legitimate system DLL.
Attack Vector
The attack vector requires local access to the target system. An attacker must be able to place a malicious DLL file in a location that will be searched by Windows before the legitimate system directory. Common attack scenarios include:
The attacker places a malicious PROPSYS.dll in the application's working directory or installation folder. When a user launches Notepad2, the malicious DLL is loaded instead of the legitimate system library, allowing the attacker's code to execute within the context of the application process.
The complexity of exploitation is considered high because the attacker needs local access and must identify an appropriate directory placement where their malicious DLL will be loaded preferentially. Additional factors such as user privileges and security software may also complicate successful exploitation.
Detection Methods for CVE-2026-4545
Indicators of Compromise
- Presence of unexpected PROPSYS.dll files in the Notepad2 installation directory or working directories
- DLL files with unusual modification timestamps or digital signature anomalies in application folders
- Process execution logs showing Notepad2 loading DLLs from non-standard system paths
Detection Strategies
- Monitor for DLL loading events from Notepad2 that originate from directories other than %SYSTEM32% or %SYSWOW64%
- Implement file integrity monitoring on Notepad2 installation directories to detect unauthorized file additions
- Use endpoint detection tools to alert on processes loading unsigned or suspiciously signed DLLs
Monitoring Recommendations
- Enable Windows Sysmon or EDR logging to capture detailed DLL load events (Sysmon Event ID 7)
- Configure alerts for any new DLL files created in application directories with common hijack target names
- Review process creation logs for Notepad2 execution patterns that may indicate exploitation attempts
How to Mitigate CVE-2026-4545
Immediate Actions Required
- Restrict write permissions on the Notepad2 installation directory to administrators only
- Consider using application allowlisting to prevent unauthorized DLLs from loading
- Monitor for any suspicious DLL files appearing in directories associated with Notepad2
- Evaluate alternative text editor applications with better security practices until a patch is available
Patch Information
No official patch is currently available from the vendor. According to the disclosure, the vendor was contacted about this vulnerability but did not respond. Organizations should monitor VulDB #352372 for any updates regarding vendor response or patch availability. Additional technical details may be available in the Google Drive document referenced in the vulnerability disclosure.
Workarounds
- Ensure the Notepad2 installation directory and its parent directories have restrictive write permissions
- Run Notepad2 from a protected directory where standard users cannot create files
- Consider using Windows Defender Application Control (WDAC) or AppLocker to restrict DLL loading
- Deploy endpoint protection solutions capable of detecting DLL hijacking attempts
# Configuration example - Restrict directory permissions
icacls "C:\Program Files\Notepad2" /inheritance:r /grant:r Administrators:F /grant:r SYSTEM:F /grant:r Users:RX
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
