CVE-2026-23512 is a vulnerability classified under CWE-426 (Untrusted Search Path) affecting SumatraPDF, a popular multi-format document reader for Windows. In versions 3.5.2 and earlier, when users access the Advanced Options setting, the application attempts to launch notepad.exe without specifying its full absolute path. On Windows systems, this behavior can be exploited by placing a malicious notepad.exe executable within the same directory as SumatraPDF's installation. Because Windows searches the current directory before system directories when resolving executable paths, the malicious executable will be run instead of the legitimate system notepad.exe. This leads to arbitrary code execution with the privileges of the user running SumatraPDF. The vulnerability requires local access to the system and user interaction to trigger the Advanced Options feature. The CVSS v3.1 score is 8.6 (high), reflecting the significant impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. Although no public exploits are currently known, the vulnerability poses a serious risk, especially in environments where users might be tricked into opening malicious files or where attackers have local access. The lack of an absolute path specification in launching notepad.exe is a classic example of untrusted search path issues, emphasizing the importance of secure coding practices in handling external process execution.

For European organizations, this vulnerability could lead to full system compromise if exploited, allowing attackers to execute arbitrary code, steal sensitive information, alter or destroy data, and disrupt operations. The risk is particularly acute in sectors relying on SumatraPDF for document handling, such as government agencies, financial institutions, legal firms, and critical infrastructure operators. Since exploitation requires local access and user interaction, the threat is higher in environments with less strict endpoint security or where users might be socially engineered. The compromise of user machines could serve as a foothold for lateral movement within networks, potentially impacting broader organizational security. Additionally, the vulnerability undermines trust in document handling workflows, which are critical in compliance-heavy European regulatory environments such as GDPR. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks or future exploit development.

European organizations should immediately upgrade SumatraPDF to a version later than 3.5.2 once available, as no patch links are currently provided. Until a patch is released, organizations should restrict access to the SumatraPDF installation directories to prevent unauthorized file placement. Implement application whitelisting and endpoint protection solutions that detect or block execution of unauthorized binaries in application directories. Educate users to avoid triggering Advanced Options unless necessary and to report suspicious behavior. Employ least privilege principles to limit user rights, reducing the impact of arbitrary code execution. Regularly audit installed software versions and maintain an inventory to identify vulnerable instances. Network segmentation and monitoring can help detect lateral movement attempts following exploitation. Finally, consider alternative PDF readers with better security postures if immediate patching is not feasible.