CVE-2026-33156
Published: 20 March 2026
Summary
CVE-2026-33156 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Screentogif Screentogif. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Side-Loading (T1574.002); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces secure configuration settings such as Windows Safe DLL Search Mode, which prioritizes System32 over the current user-writable directory, directly preventing DLL sideloading of version.dll.
Establishes and enforces policies prohibiting or monitoring execution of portable applications like ScreenToGif from user-writable directories where attackers can place malicious DLLs.
Deploys malicious code protection mechanisms to perform real-time scans and block execution of malicious version.dll when ScreenToGif is launched from a compromised directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct DLL side-loading via untrusted search path (CWE-426/427) in portable app directory enables T1574.002 for arbitrary code execution.
NVD Description
ScreenToGif is a screen recording tool. In versions from 2.42.1 and prior, ScreenToGif is vulnerable to DLL sideloading via version.dll . When the portable executable is run from a user-writable directory, it loads version.dll from the application directory instead of…
more
the Windows System32 directory, allowing arbitrary code execution in the user's context. This is especially impactful because ScreenToGif is primarily distributed as a portable application intended to be run from user-writable locations. At time of publication, there are no publicly available patches.
Deeper analysisAI
CVE-2026-33156 is a DLL sideloading vulnerability affecting ScreenToGif, an open-source screen recording tool for Windows. Versions 2.42.1 and prior are vulnerable due to the portable executable loading version.dll from the application directory rather than the Windows System32 directory when run from a user-writable location. This issue corresponds to CWE-426 (Untrusted Search Path) and CWE-427 (Untrusted Search Path to Fixed Name), enabling arbitrary code execution in the user's context.
An attacker with local access can exploit this vulnerability by placing a malicious version.dll in the same user-writable directory as the ScreenToGif executable. When a user runs the application, it loads the attacker's DLL instead of the legitimate system version, resulting in code execution with the privileges of the running user. The attack requires low complexity and user interaction, such as launching the portable app, but no special privileges, with potential for high impacts on confidentiality, integrity, and availability.
The GitHub Security Advisory (GHSA-3fmj-j696-9mg2) confirms no publicly available patches exist as of publication. Users should avoid running ScreenToGif from untrusted or writable directories and monitor for official updates from the project maintainers.
This vulnerability is particularly notable given ScreenToGif's design as a portable application typically executed from user-writable locations, increasing its real-world risk for end users downloading and running it directly. No evidence of active exploitation in the wild has been reported.
Details
- CWE(s)