Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A weakness has been identified in Flos Freeware Notepad2 4.2.25. This impacts an unknown function in the library TextShaping.dll. Executing a manipulation can lead to uncontrolled search path. The attack is restricted to local execution. The attack requires a high level of complexity. The exploitability is said to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
DLL hijacking in Flos Freeware Notepad2 4.2.25 enables local privilege escalation when an attacker with low-privilege access can place a malicious TextShaping.dll in the application's search path, achieving high confidentiality, integrity, and availability impact. Exploitation requires high attack complexity and is considered difficult per vendor assessment. No public exploit identified at time of analysis, with EPSS score of 0.01% indicating minimal observed exploitation activity. Vendor unresponsive to disclosure, leaving patch status uncertain.
Technical ContextAI
This vulnerability exploits CWE-427 (Uncontrolled Search Path Element), commonly known as DLL hijacking or binary planting. When Notepad2 loads TextShaping.dll, it searches multiple filesystem locations in a predictable order. An attacker who can write to an earlier-searched directory (such as the application directory or current working directory) can place a malicious DLL that the application will load instead of the legitimate library. The CPE identifier cpe:2.3:a:flos_freeware:notepad2:4.2.25 confirms this affects the specific Flos Freeware implementation of Notepad2, a lightweight text editor. The CVSS 4.0 vector indicates local attack vector (AV:L) with high attack complexity (AC:H), requiring low privileges (PR:L) but no user interaction (UI:N), with complete impact on vulnerable system confidentiality, integrity, and availability (VC:H/VI:H/VA:H) but no subsequent system impact (SC:N/SI:N/SA:N).
RemediationAI
No vendor-released patch identified at time of analysis due to vendor non-responsiveness to disclosure. Until an official fix is available, implement these compensating controls: (1) Deploy Notepad2 to directories where low-privilege users cannot write files (e.g., C:\Program Files with proper ACLs), preventing DLL placement in the application directory. Trade-off: Requires administrative deployment but is highly effective. (2) Use Windows Defender Application Control (WDAC) or AppLocker policies to whitelist only signed DLLs loaded by Notepad2.exe, blocking unsigned malicious TextShaping.dll. Trade-off: May require initial policy tuning and impacts only Windows 10+ Enterprise/Education editions. (3) Monitor filesystem writes to Notepad2 installation directories using tools like Sysmon (Event ID 11) or Windows Audit Object Access, alerting on unexpected DLL creation. Trade-off: Detective control only, generates operational overhead. (4) Consider migrating to actively maintained alternatives like Notepad++ or Notepad2-mod if vendor remains unresponsive. Consult VulDB advisory https://vuldb.com/?id.352373 for updates on patch availability.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14303
GHSA-c87r-r9gf-jq2q