CVE-2026-2516: Uncontrolled Search Path in Unidocs ezPDF DRM Reader
CVE-2026-2516 is a high-severity vulnerability in Unidocs ezPDF DRM Reader versions 2. 0 and 3. 0. 0. 4 on 32-bit systems, caused by an uncontrolled search path issue involving the SHFOLDER. dll library. The vulnerability requires local access and low privileges to exploit, with a high complexity attack vector and no user interaction needed. Exploitation could lead to significant confidentiality, integrity, and availability impacts. Although the exploit is publicly available, no known active exploitation has been reported. The vendor has not responded to disclosure attempts, and no patches are currently available.
AI Analysis
Technical Summary
CVE-2026-2516 is a vulnerability identified in Unidocs ezPDF DRM Reader versions 2.0 and 3.0.0.4 running on 32-bit systems. The root cause is an uncontrolled search path issue related to the SHFOLDER.dll library, which is part of the Windows Shell Folder API. This vulnerability allows an attacker with local access and low privileges to manipulate the search path used by the application to load DLLs. By placing a malicious DLL in a location that the application searches before the legitimate SHFOLDER.dll, an attacker can execute arbitrary code within the context of the ezPDF DRM Reader process. The attack complexity is high, indicating that exploitation requires advanced skills and specific conditions. No user interaction is necessary, and the attacker does not need elevated privileges beyond low-level local access. The vulnerability does not require network access, limiting remote exploitation. The exploit code is publicly available, increasing the risk of opportunistic attacks. The vendor was contacted but did not respond or provide patches, leaving users exposed. The CVSS 4.0 score is 7.3 (high), reflecting the significant impact on confidentiality, integrity, and availability if exploited. No mitigations or patches have been officially released, and no known active exploitation in the wild has been reported so far.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially in environments where ezPDF DRM Reader 2.0 or 3.0.0.4 is deployed on 32-bit Windows systems. Potential impacts include unauthorized code execution leading to data theft, corruption, or disruption of document workflows. Confidentiality could be compromised if sensitive documents are accessed or exfiltrated. Integrity may be affected if malicious code alters document contents or application behavior. Availability could be disrupted by denial-of-service conditions caused by malicious DLLs. Since the attack requires local access, insider threats or compromised endpoints are the primary vectors. Organizations in sectors such as government, legal, publishing, and finance that rely on ezPDF DRM Reader for protected document handling are particularly vulnerable. The lack of vendor response and patches increases the risk exposure. The public availability of exploit code raises the likelihood of exploitation attempts, especially in environments with weak endpoint security controls.
Mitigation Recommendations
1. Restrict local access to systems running vulnerable versions of ezPDF DRM Reader by enforcing strict user account controls and limiting physical and remote desktop access. 2. Implement application whitelisting to prevent unauthorized DLLs from loading within the ezPDF DRM Reader process. 3. Use endpoint detection and response (EDR) tools to monitor for suspicious DLL loading behavior and anomalous process activity related to ezPDF DRM Reader. 4. Consider migrating to alternative PDF readers that are actively maintained and do not exhibit this vulnerability, especially on 32-bit systems. 5. If migration is not immediately feasible, isolate vulnerable systems in network segments with limited access and monitor logs for signs of local exploitation attempts. 6. Educate users about the risks of local privilege escalation and enforce policies to prevent installation of unauthorized software or execution of untrusted code. 7. Regularly audit installed software versions and remove or upgrade any instances of ezPDF DRM Reader 2.0 or 3.0.0.4 on 32-bit platforms. 8. Maintain up-to-date backups of critical documents to mitigate potential data loss from exploitation.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden
CVE-2026-2516: Uncontrolled Search Path in Unidocs ezPDF DRM Reader
Description
CVE-2026-2516 is a high-severity vulnerability in Unidocs ezPDF DRM Reader versions 2. 0 and 3. 0. 0. 4 on 32-bit systems, caused by an uncontrolled search path issue involving the SHFOLDER. dll library. The vulnerability requires local access and low privileges to exploit, with a high complexity attack vector and no user interaction needed. Exploitation could lead to significant confidentiality, integrity, and availability impacts. Although the exploit is publicly available, no known active exploitation has been reported. The vendor has not responded to disclosure attempts, and no patches are currently available.
AI-Powered Analysis
Technical Analysis
CVE-2026-2516 is a vulnerability identified in Unidocs ezPDF DRM Reader versions 2.0 and 3.0.0.4 running on 32-bit systems. The root cause is an uncontrolled search path issue related to the SHFOLDER.dll library, which is part of the Windows Shell Folder API. This vulnerability allows an attacker with local access and low privileges to manipulate the search path used by the application to load DLLs. By placing a malicious DLL in a location that the application searches before the legitimate SHFOLDER.dll, an attacker can execute arbitrary code within the context of the ezPDF DRM Reader process. The attack complexity is high, indicating that exploitation requires advanced skills and specific conditions. No user interaction is necessary, and the attacker does not need elevated privileges beyond low-level local access. The vulnerability does not require network access, limiting remote exploitation. The exploit code is publicly available, increasing the risk of opportunistic attacks. The vendor was contacted but did not respond or provide patches, leaving users exposed. The CVSS 4.0 score is 7.3 (high), reflecting the significant impact on confidentiality, integrity, and availability if exploited. No mitigations or patches have been officially released, and no known active exploitation in the wild has been reported so far.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially in environments where ezPDF DRM Reader 2.0 or 3.0.0.4 is deployed on 32-bit Windows systems. Potential impacts include unauthorized code execution leading to data theft, corruption, or disruption of document workflows. Confidentiality could be compromised if sensitive documents are accessed or exfiltrated. Integrity may be affected if malicious code alters document contents or application behavior. Availability could be disrupted by denial-of-service conditions caused by malicious DLLs. Since the attack requires local access, insider threats or compromised endpoints are the primary vectors. Organizations in sectors such as government, legal, publishing, and finance that rely on ezPDF DRM Reader for protected document handling are particularly vulnerable. The lack of vendor response and patches increases the risk exposure. The public availability of exploit code raises the likelihood of exploitation attempts, especially in environments with weak endpoint security controls.
Mitigation Recommendations
1. Restrict local access to systems running vulnerable versions of ezPDF DRM Reader by enforcing strict user account controls and limiting physical and remote desktop access. 2. Implement application whitelisting to prevent unauthorized DLLs from loading within the ezPDF DRM Reader process. 3. Use endpoint detection and response (EDR) tools to monitor for suspicious DLL loading behavior and anomalous process activity related to ezPDF DRM Reader. 4. Consider migrating to alternative PDF readers that are actively maintained and do not exhibit this vulnerability, especially on 32-bit systems. 5. If migration is not immediately feasible, isolate vulnerable systems in network segments with limited access and monitor logs for signs of local exploitation attempts. 6. Educate users about the risks of local privilege escalation and enforce policies to prevent installation of unauthorized software or execution of untrusted code. 7. Regularly audit installed software versions and remove or upgrade any instances of ezPDF DRM Reader 2.0 or 3.0.0.4 on 32-bit platforms. 8. Maintain up-to-date backups of critical documents to mitigate potential data loss from exploitation.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-02-14T19:41:22.319Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6991bc8d4b0e3abdf95c3022
Added to database: 2/15/2026, 12:31:09 PM
Last enriched: 2/15/2026, 12:45:26 PM
Last updated: 2/15/2026, 2:38:40 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2517: Denial of Service in Open5GS
MediumCVE-2026-2541: CWE-331: Insufficient Entropy in Micca Auto Electronics Co., Ltd. Car Alarm System KE700
MediumCVE-2026-2540: CWE-288: Authentication Bypass Using an Alternate Path or Channel in Micca Auto Electronics Co., Ltd. Car Alarm System KE700
HighCVE-2025-32063: CWE-306 Missing Authentication for Critical Function in Bosch Infotainment system ECU
MediumCVE-2025-32062: CWE-121: Stack-based Buffer Overflow in Bosch Infotainment system ECU
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.