CVE-2026-33156 is a vulnerability classified under CWE-426 (Untrusted Search Path) and CWE-427 (Uncontrolled Search Path Element) affecting ScreenToGif, a popular screen recording tool. Versions up to and including 2.42.1 are affected. The core issue arises from the application's loading behavior of the version.dll library: when the portable executable is launched from a user-writable directory, it loads version.dll from the same directory rather than the trusted Windows System32 folder. This behavior enables an attacker who can place a malicious version.dll in the application's directory to execute arbitrary code with the privileges of the user running the application. Since ScreenToGif is primarily distributed as a portable application intended to be run from user-writable locations, this increases the risk of exploitation. The vulnerability requires user interaction to launch the vulnerable executable but does not require elevated privileges or network access. No public patches or fixes are available at the time of disclosure, and no known exploits have been observed in the wild. The CVSS v3.1 base score is 7.8, indicating a high severity due to the potential for full compromise of user confidentiality, integrity, and availability. This vulnerability highlights the risks of DLL sideloading in portable applications and the importance of secure library loading practices.

The vulnerability allows an attacker to execute arbitrary code in the context of the user running ScreenToGif, potentially leading to full compromise of the user's data and system access rights. This can result in data theft, installation of persistent malware, lateral movement within networks, and disruption of user workflows. Since ScreenToGif is often used by individuals and organizations for creating screen recordings, attackers could leverage this vulnerability to gain footholds in corporate environments, especially where endpoint protections are weak or portable applications are commonly used. The impact extends to confidentiality, integrity, and availability, as malicious DLLs could exfiltrate sensitive information, modify or delete files, or disrupt application and system operations. The requirement for user interaction limits remote exploitation but does not eliminate risk, particularly in environments where users frequently run portable executables from untrusted or shared directories. The lack of available patches increases exposure until mitigations or updates are released.

1. Restrict execution of ScreenToGif to trusted directories only, avoiding user-writable or shared folders where malicious DLLs could be placed. 2. Implement application whitelisting to ensure only verified binaries and libraries are executed. 3. Monitor directories where ScreenToGif is run for unexpected or suspicious DLL files, especially version.dll. 4. Educate users about the risks of running portable applications from untrusted locations and encourage use of installed versions if available. 5. Use endpoint protection solutions capable of detecting DLL sideloading or anomalous library loading behaviors. 6. Consider running ScreenToGif with least privilege and in sandboxed environments to limit the impact of potential exploitation. 7. Stay alert for vendor updates or patches addressing this vulnerability and apply them promptly once available. 8. Employ file integrity monitoring on application directories to detect unauthorized changes. 9. Review and restrict user permissions on file system locations to prevent unauthorized DLL placement. 10. If feasible, replace ScreenToGif with alternative screen recording tools that do not exhibit this vulnerability until a patch is released.