CVE-2026-23512: One Click, One Binary — How a Hidden Search Path Flaw in SumatraPDF Can Hand Over Code Execution

Aegiron 12 mins0

CVE ID: CVE-2026-23512
Severity: High
CVSS Score: ~8.6
Type: Local Remote Code Execution (RCE) via Untrusted Search Path
Exploitability: Requires local access and user interaction
Availability of Proof of Concept: Yes (publicly discussed demonstration exists)

Overview — What This Vulnerability Is and Why It Matters

SumatraPDF is a very lightweight and popular document reader for Windows. It’s designed to open PDFs, ePubs, XPS, and other formats quickly. Because it’s so small and widely used, security issues in it matter to a lot of people.

CVE-2026-23512 is fundamentally a design flaw: when SumatraPDF tries to launch your system’s text editor (like Notepad) to let you edit its settings, it doesn’t tell Windows exactly where to find Notepad. Instead, it just says “run notepad.exe” and relies on Windows to look through folders in order and choose the first matching file.

That sounds harmless — but if someone can drop their own fake notepad.exe into a folder that gets searched before the real system folder, Windows will happily run the fake one.

That fake can do anything a real Notepad process could do — and if it’s malicious, it can do far more.

Root Cause — The Untrusted Search Path Problem

On Windows, when an application asks the system to launch a helper program without a full path, Windows performs a search through a series of directories to find that program. The order typically starts with the current program folder, then system folders, then other places.

In the vulnerable versions of SumatraPDF, when the user chooses Advanced Options (or triggers editing the config), SumatraPDF runs:

notepad.exe "Path-to-settings-file"

Without specifying a full path.

That means:
✔ If the real Notepad lives in C:\Windows\System32\notepad.exe, great.
✔ But if a malicious notepad.exe is in a folder that Windows checks first (like the directory where SumatraPDF is running), Windows will execute that instead.

This is classic Untrusted Search Path behavior — the attacker gets their binary executed because the program assumed the first match was safe.

How It Can Be Exploited

Here’s a realistic scenario:

  1. Attacker or tester writes a custom malicious notepad.exe — this can be a simple binary that spawns a shell or does more complex actions.
  2. The attacker places that malicious notepad.exe into the same folder where SumatraPDF.exe is located — for example:
    • A shared network drive
    • A USB stick
    • A folder where multiple people have write access
  3. A user opens SumatraPDF from that folder.
  4. The user goes into Advanced Options (which opens the settings in Notepad).
  5. Windows resolves “notepad.exe” by checking the folder first, finds the malicious one, and runs it.
  6. The malicious binary runs with the user’s privileges.

Result: Arbitrary code execution. The attacker’s binary now runs as the user.

If the user has higher privileges (admin), the impact is even more severe. Even without high privileges, this is a serious local code execution vulnerability.

Proof of Concept (Educational)

Security researchers and testers have shown that this flaw can be used to demonstrate code execution by placing a fake notepad.exe beside the SumatraPDF executable.

A simple educational PoC might:

  • Be named notepad.exe
  • Instead of launching a text editor, it launches Calculator (calc.exe)
  • Writes a text file to disk to show it was executed

Example conceptual behavior in a PoC:

Start calc.exe
Create file "exploit_success.txt"
Exit

That’s enough to prove that the execution path was hijacked — the key takeaway is that SumatraPDF will run the local fake notepad.exe instead of the real one.

What Makes This Realistically Dangerous

  • It doesn’t require network access — only file write access to a directory that’s part of SumatraPDF’s search path.
  • Many environments use shared folders, USB drives, or developer directories where users have write access.
  • Users often open SumatraPDF from those places without realizing the risk.
  • Because it executes with user privileges, malware can drop persistence, steal data, or escalate further.

How to Detect Exploitation or an Attempt

1. Watch for Suspicious notepad.exe Execution

The most obvious sign that someone has been exploited is if Notepad is run from the same folder as SumatraPDF or not from the official Windows system path.

Normal Notepad should be:

C:\Windows\System32\notepad.exe

If you see:

D:\Docs\SomeFolder\SumatraPDF\notepad.exe

That’s abnormal and likely malicious.

2. Monitor File Creations in SumatraPDF Folders

If someone creates an executable (especially named notepad.exe) in a folder where SumatraPDF lives, that’s a red flag.

Look for:

  • New .exe files
  • Unexpected file modification times
  • Executable files placed by non-administrative users

3. Correlate with Advanced Options Usage

If a user opens Advanced Options in SumatraPDF and shortly afterward an unexpected notepad.exe runs, that’s a strong indicator.

Keep an eye on:

  • Parent process being SumatraPDF.exe
  • Child process named notepad.exe not coming from System32

Example Detection Logic

Alert Condition #1 — Executable in SumatraPDF Folder

If file created: *.exe in SumatraPDF directory
AND creator is standard user
→ generate alert

Alert Condition #2 — Unexpected Notepad Execution

If process creation: notepad.exe
AND process image path ≠ C:\Windows\System32\notepad.exe
AND parent process is SumatraPDF.exe
→ generate high severity alert

Alert Condition #3 — Process Chain

SumatraPDF.exe
→ notepad.exe (non-System32)
→ unexpected child process
→ alert and investigate

These help you detect exploitation attempts rather than just the presence of the vulnerability.

Immediate Mitigation Steps

Before you patch:

  1. Do NOT run SumatraPDF from folders where other people can write files.
    • Don’t run it from shared network drives
    • Don’t run it from USB sticks
    • Install it in a protected location
  2. Lock down permissions on SumatraPDF directories
    • Remove write access for standard users
    • Only administrators should be able to put files there
  3. Use application control policies
    • AppLocker or similar rules can block executables not signed by trusted vendors
    • Prevent execution of unknown executables in program folders
  4. Train users
    • Warn them not to open Advanced Options in untrusted context
    • Make them aware this particular action can lead to unsafe execution

Remediation — How to Fix It

This flaw will be fixed in a future SumatraPDF release where the code explicitly points to the real Notepad path or uses a safer method to launch the editor.

You must update to the fixed version once published.

👉 Official Patch / Upgrade:
https://www.sumatrapdfreader.org/download-free-pdf-viewer

Only download and install from the official site above — patched versions will be released there when available.

How You Can Tell It’s Patched

Once the vulnerability is fixed, SumatraPDF will no longer rely on Windows to search for notepad.exe. Instead it will:

✔ Use a full path to Notepad
✔ Use a secure API to launch the configured editor
✔ Prevent local executable hijacking

After upgrading, even if a fake notepad.exe exists beside the application, it will not run.

Final Takeaway

  • CVE-2026-23512 is a local code execution flaw caused by an untrusted search path for Notepad.
  • An attacker with write access to the SumatraPDF folder can plant a malicious notepad.exe and trick the user’s system into running it.
  • The vulnerability triggers when the user opens Advanced Options.
  • It’s not exploitable remotely without prior access and user interaction, but still high risk.
  • You can detect exploitation by monitoring for:
    • Notepad running from non-System32 paths
    • Executables placed beside SumatraPDF
    • Unusual process chains from SumatraPDF.exe
  • Lock down folder permissions now.
  • Update to the patched version when it becomes available from the official site.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.