CVE-2026-4546 Overview
A weakness has been identified in Flos Freeware Notepad2 4.2.25 involving an uncontrolled search path vulnerability. This impacts an unknown function in the library TextShaping.dll. By executing a manipulation of the DLL search path, an attacker can potentially achieve code execution. The attack is restricted to local execution and requires a high level of complexity, making exploitability difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Critical Impact
Local attackers with low privileges can potentially achieve high impact on confidentiality, integrity, and availability through DLL search path manipulation in TextShaping.dll.
Affected Products
- Flos Freeware Notepad2 4.2.25
Discovery Timeline
- 2026-03-22 - CVE CVE-2026-4546 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-4546
Vulnerability Analysis
This vulnerability is classified as CWE-426 (Untrusted Search Path), which occurs when an application searches for critical resources using an externally-supplied search path that can point to resources outside the intended control sphere. In the case of Notepad2, the application loads the TextShaping.dll library using an insecure search order, which allows a local attacker to place a malicious DLL in a location that will be searched before the legitimate library.
The attack requires local access to the target system and involves placing a specially crafted malicious DLL file in a directory that appears earlier in the Windows DLL search order than the legitimate TextShaping.dll. When Notepad2 is executed, it will load the attacker's malicious DLL instead of the legitimate one, potentially executing arbitrary code in the context of the application.
Root Cause
The root cause of this vulnerability lies in the improper DLL loading mechanism within Notepad2 4.2.25. The application does not use secure DLL loading practices, such as specifying absolute paths or using the SetDllDirectory API to restrict the search path. This allows the application to search for TextShaping.dll in potentially untrusted directories, including the current working directory or user-controlled locations.
Attack Vector
The attack vector is local, requiring the attacker to have some level of access to the target system. The attacker must place a malicious TextShaping.dll file in a location where Notepad2 will search for DLLs before finding the legitimate library. This could be accomplished by:
- Placing the malicious DLL in the same directory as a document that will be opened with Notepad2
- Placing the malicious DLL in the application's working directory
- Modifying the system PATH environment variable to include a directory containing the malicious DLL
When a user launches Notepad2 or opens a file with the application, the malicious DLL is loaded and executed with the privileges of the current user.
Detection Methods for CVE-2026-4546
Indicators of Compromise
- Presence of unexpected TextShaping.dll files in directories other than the Windows system directory or Notepad2 installation directory
- Unusual process behavior from Notepad2, such as network connections or spawning child processes
- DLL loading events showing TextShaping.dll being loaded from non-standard locations
Detection Strategies
- Monitor DLL loading events for Notepad2 using tools like Process Monitor or Sysmon to identify DLLs loaded from unexpected paths
- Implement application whitelisting to prevent unauthorized DLLs from being loaded
- Use endpoint detection and response (EDR) solutions to detect anomalous DLL side-loading behavior
Monitoring Recommendations
- Enable Windows Event Logging for DLL load events (Event ID 7 in Sysmon)
- Monitor file system changes in directories commonly used by Notepad2
- Review process execution logs for signs of code execution originating from Notepad2
How to Mitigate CVE-2026-4546
Immediate Actions Required
- Avoid opening files from untrusted sources with Notepad2 until a patch is available
- Consider using alternative text editors until the vendor addresses the vulnerability
- Ensure TextShaping.dll is only present in trusted system directories
Patch Information
No patch is currently available from the vendor. According to the disclosure, the vendor was contacted about this vulnerability but did not respond. Users should monitor the VulDB entry for updates on any future patches or mitigations.
Workarounds
- Run Notepad2 from a dedicated installation directory with restricted write permissions to prevent DLL planting
- Use application control solutions to restrict DLL loading to known-good paths only
- Consider implementing Windows Group Policy settings that restrict DLL search paths (CWDIllegalInDllSearch registry setting)
# Configuration example - Restrict DLL search path via registry
# Run in elevated command prompt
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 2 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
