CVE-2026-33156 is a vulnerability classified under CWE-426 (Untrusted Search Path) and CWE-427 (Uncontrolled Search Path Element) affecting the ScreenToGif application, a screen recording tool developed by NickeManarin. In versions 2.42.1 and earlier, ScreenToGif improperly loads the version.dll library from the application's directory rather than the secure Windows System32 directory. This behavior creates a DLL sideloading attack vector when the application is executed from a user-writable directory, which is common since ScreenToGif is primarily distributed as a portable executable designed to run without installation. An attacker with write access to the directory can place a malicious version.dll file that will be loaded by ScreenToGif, resulting in arbitrary code execution under the context of the user running the application. The vulnerability has a CVSS 3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity, no privileges required, but requiring user interaction to launch the app. No patches or official fixes are available at the time of disclosure, and no public exploits have been reported. This vulnerability highlights the risks of portable applications loading DLLs insecurely from user-controlled locations, emphasizing the need for secure DLL search order and application execution policies.

The impact of CVE-2026-33156 is significant for organizations worldwide using ScreenToGif, especially in environments where users can execute portable applications from writable directories such as desktops, downloads folders, or shared network drives. Successful exploitation allows attackers to execute arbitrary code with the privileges of the logged-in user, potentially leading to credential theft, lateral movement, installation of persistent malware, or data exfiltration. Since the vulnerability affects confidentiality, integrity, and availability, it can facilitate a range of malicious activities including espionage, sabotage, or ransomware deployment. The lack of required privileges lowers the barrier for exploitation, making it a viable vector for insider threats or attackers who have gained limited access. The absence of patches increases exposure duration, and organizations relying on ScreenToGif for productivity or content creation may face operational disruptions or data breaches if exploited.

To mitigate CVE-2026-33156, organizations should implement the following specific measures: 1) Restrict execution of portable applications like ScreenToGif from user-writable directories by enforcing application whitelisting or using AppLocker/Windows Defender Application Control policies to allow execution only from trusted locations such as Program Files or system directories. 2) Educate users to avoid running portable executables from untrusted or shared folders and to report suspicious files. 3) Regularly audit directories where users commonly run portable apps for unauthorized DLL files, especially version.dll, and remove any suspicious files. 4) Employ endpoint detection and response (EDR) solutions to monitor for anomalous DLL loading behaviors and execution of ScreenToGif from unusual paths. 5) Isolate or sandbox user environments where portable apps are necessary to limit potential damage. 6) Monitor vendor communications for patches or updates addressing this vulnerability and apply them promptly once available. 7) Consider alternative screen recording tools with secure DLL loading practices until a fix is released.