Cyber Resilience

CVE-2026-2538

HighLPE

Published: 16 February 2026

Published
16 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 5.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2538 is a high-severity Untrusted Search Path (CWE-426) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Flos Freeware Notepad2 4.2.22/4.2.23/4.2.24/4.2.25. Affected is an unknown function in the library Msimg32.dll. Performing a manipulation results in uncontrolled search path. Attacking locally is a requirement. The attack's complexity is rated as high.…

more

The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
Why these techniques?

Uncontrolled search path in Msimg32.dll directly enables DLL search order hijacking/side-loading (CWE-426/427).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References