Skip to main content

Notepad2 CVE-2026-4546

| EUVDEUVD-2026-14303 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-03-22 VulDB GHSA-c87r-r9gf-jq2q
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 30, 2026 - 14:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 30, 2026 - 14:37 vuln.today
cvss_changed
CVSS changed
Apr 30, 2026 - 14:37 NVD
7.0 (HIGH) 7.3 (HIGH)
EUVD ID Assigned
Mar 22, 2026 - 13:30 euvd
EUVD-2026-14303
Analysis Generated
Mar 22, 2026 - 13:30 vuln.today
CVE Published
Mar 22, 2026 - 13:02 nvd
HIGH 7.0

DescriptionCVE.org

A weakness has been identified in Flos Freeware Notepad2 4.2.25. This impacts an unknown function in the library TextShaping.dll. Executing a manipulation can lead to uncontrolled search path. The attack is restricted to local execution. The attack requires a high level of complexity. The exploitability is said to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

DLL hijacking in Flos Freeware Notepad2 4.2.25 enables local privilege escalation when an attacker with low-privilege access can place a malicious TextShaping.dll in the application's search path, achieving high confidentiality, integrity, and availability impact. Exploitation requires high attack complexity and is considered difficult per vendor assessment. No public exploit identified at time of analysis, with EPSS score of 0.01% indicating minimal observed exploitation activity. Vendor unresponsive to disclosure, leaving patch status uncertain.

Technical ContextAI

This vulnerability exploits CWE-427 (Uncontrolled Search Path Element), commonly known as DLL hijacking or binary planting. When Notepad2 loads TextShaping.dll, it searches multiple filesystem locations in a predictable order. An attacker who can write to an earlier-searched directory (such as the application directory or current working directory) can place a malicious DLL that the application will load instead of the legitimate library. The CPE identifier cpe:2.3:a:flos_freeware:notepad2:4.2.25 confirms this affects the specific Flos Freeware implementation of Notepad2, a lightweight text editor. The CVSS 4.0 vector indicates local attack vector (AV:L) with high attack complexity (AC:H), requiring low privileges (PR:L) but no user interaction (UI:N), with complete impact on vulnerable system confidentiality, integrity, and availability (VC:H/VI:H/VA:H) but no subsequent system impact (SC:N/SI:N/SA:N).

RemediationAI

No vendor-released patch identified at time of analysis due to vendor non-responsiveness to disclosure. Until an official fix is available, implement these compensating controls: (1) Deploy Notepad2 to directories where low-privilege users cannot write files (e.g., C:\Program Files with proper ACLs), preventing DLL placement in the application directory. Trade-off: Requires administrative deployment but is highly effective. (2) Use Windows Defender Application Control (WDAC) or AppLocker policies to whitelist only signed DLLs loaded by Notepad2.exe, blocking unsigned malicious TextShaping.dll. Trade-off: May require initial policy tuning and impacts only Windows 10+ Enterprise/Education editions. (3) Monitor filesystem writes to Notepad2 installation directories using tools like Sysmon (Event ID 11) or Windows Audit Object Access, alerting on unexpected DLL creation. Trade-off: Detective control only, generates operational overhead. (4) Consider migrating to actively maintained alternatives like Notepad++ or Notepad2-mod if vendor remains unresponsive. Consult VulDB advisory https://vuldb.com/?id.352373 for updates on patch availability.

Share

CVE-2026-4546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy