Description
A security flaw has been discovered in Flos Freeware Notepad2 4.2.22/4.2.23/4.2.24/4.2.25. Affected is an unknown function in the library Msimg32.dll. Performing a manipulation results in uncontrolled search path. Attacking locally is a requirement. The attack's complexity is rated as high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-16
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential local code execution via DLL hijacking
Action: Assess Impact
AI Analysis

Impact

The flaw exists in Msimg32.dll used by Flos Freeware Notepad2 and exposes an uncontrolled search path. A local attacker can craft input that causes the application to load a malicious version of the DLL, enabling arbitrary code execution. The vulnerability is classified as CWE-426 and CWE-427 and is described as having high attack complexity and difficult exploitability.

Affected Systems

Flos Freeware Notepad2 versions 4.2.22 through 4.2.25 are affected.

Risk and Exploitability

The CVSS score is 7.3, indicating a high severity. The EPSS score is <1%, suggesting exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires local access, the risk is primarily for users with or who can compromise the local machine. There is no official vendor patch or workaround; the vulnerability remains unaddressed by the vendor as of the latest disclosure.

Generated by OpenCVE AI on April 17, 2026 at 19:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Notepad2 release that contains the fix, if one has been issued
  • Enforce strict DLL load order using Windows policies (e.g., AppLocker or DLL search order configuration) to prevent hijacked Msimg32.dll loading
  • Remove or relocate Msimg32.dll from the directory used by Notepad2 so that the system’s system directory version is mandatory
  • Monitor for unexpected DLLs in the application directory and check for anomalous process creation

Generated by OpenCVE AI on April 17, 2026 at 19:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Flos Freeware
Flos Freeware notepad2
Vendors & Products Flos Freeware
Flos Freeware notepad2

Mon, 16 Feb 2026 06:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Flos Freeware Notepad2 4.2.22/4.2.23/4.2.24/4.2.25. Affected is an unknown function in the library Msimg32.dll. Performing a manipulation results in uncontrolled search path. Attacking locally is a requirement. The attack's complexity is rated as high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Title Flos Freeware Notepad2 Msimg32.dll uncontrolled search path
Weaknesses CWE-426
CWE-427
References
Metrics cvssV2_0

{'score': 6, 'vector': 'AV:L/AC:H/Au:S/C:C/I:C/A:C/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 7, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Flos Freeware Notepad2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:06:24.457Z

Reserved: 2026-02-15T09:24:12.532Z

Link: CVE-2026-2538

cve-icon Vulnrichment

Updated: 2026-02-17T16:59:33.264Z

cve-icon NVD

Status : Deferred

Published: 2026-02-16T07:17:00.537

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses