CVE-2026-23512
Published: 14 January 2026
Summary
CVE-2026-23512 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Sumatrapdfreader Sumatrapdf. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the untrusted search path vulnerability by identifying, reporting, and applying patches that specify absolute paths for notepad.exe execution.
Prevents arbitrary code execution by employing malicious code protection mechanisms like application whitelisting or antivirus to block the malicious notepad.exe in the installation directory.
Enforces logical access controls on the file system to restrict write access to the SumatraPDF installation directory, preventing placement of the malicious notepad.exe.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted search path (CWE-426) directly enables search-order hijacking of notepad.exe by placing a malicious binary in the application directory.
NVD Description
SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On…
more
Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution.
Deeper analysisAI
CVE-2026-23512 is an Untrusted Search Path vulnerability (CWE-426) affecting SumatraPDF, a multi-format reader for Windows, in versions 3.5.2 and earlier. The issue arises when the Advanced Options setting is triggered, as the application executes notepad.exe without specifying an absolute path. On Windows, this permits a malicious notepad.exe placed in the application's installation directory to be run instead, resulting in arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
A local attacker can exploit this vulnerability by placing a malicious notepad.exe in the SumatraPDF installation directory, requiring write access to that location. Exploitation occurs if a user with sufficient privileges triggers the Advanced Options setting, causing the application to execute the attacker's binary rather than the legitimate system notepad.exe. Successful exploitation leads to arbitrary code execution with high impacts on confidentiality, integrity, and availability, accompanied by a scope change.
Mitigation details are provided in the SumatraPDF GitHub security advisory (GHSA-rqg5-gj63-x4mv) and the patching commit (2762e02a8cd7cb779c934a44257aac56ab7de673). Security practitioners should recommend updating to a patched version of SumatraPDF beyond 3.5.2.
Details
- CWE(s)