CVE-2026-33156 in ScreenToGif
Summary
by MITRE • 03/20/2026
ScreenToGif is a screen recording tool. In versions from 2.42.1 and prior, ScreenToGif is vulnerable to DLL sideloading via version.dll . When the portable executable is run from a user-writable directory, it loads version.dll from the application directory instead of the Windows System32 directory, allowing arbitrary code execution in the user's context. This is especially impactful because ScreenToGif is primarily distributed as a portable application intended to be run from user-writable locations. At time of publication, there are no publicly available patches.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
CVE-2026-33156 represents a critical dll sideloading vulnerability affecting ScreenToGif versions 2.42.1 and earlier. This vulnerability stems from the application's improper dynamic link library loading mechanism where it searches for version.dll in the application directory before checking the Windows System32 directory. The flaw occurs because ScreenToGif, being a portable application distributed without installation, is frequently executed from user-writable directories such as desktop folders or temporary locations. When the application runs from such locations, it inadvertently loads a malicious version.dll file placed in the same directory, enabling attackers to execute arbitrary code with the privileges of the currently logged-in user. This vulnerability directly maps to CWE-426 Untrusted Search Path which is classified under the software security weakness category related to insecure library loading practices. The impact is particularly severe because ScreenToGif is designed to be portable and run from user directories, making it an ideal target for attackers who can simply place a malicious dll file in the same directory as the legitimate executable. From an operational perspective, this vulnerability allows for privilege escalation without requiring administrative rights, as the malicious code executes within the user context. The attack vector is particularly concerning because it requires minimal user interaction - simply running the application from a compromised directory is sufficient for exploitation. The lack of available patches at the time of publication means that organizations cannot rely on vendor-provided fixes, forcing them to implement immediate mitigations. The vulnerability aligns with ATT&CK technique T1059.001 Command and Scripting Interpreter where adversaries leverage legitimate system tools to execute malicious code. This particular vulnerability is especially dangerous in enterprise environments where users may inadvertently run applications from untrusted directories, and the portable nature of the tool makes it common in various user locations. Organizations should implement directory permissions controls to prevent write access to directories where portable applications are executed, and consider deploying application whitelisting solutions to restrict execution of unauthorized dll files. Additionally, users should be educated about the risks of running portable applications from untrusted locations and the importance of verifying application integrity before execution.
The vulnerability demonstrates how portable applications present unique security challenges that differ from traditional installed software. Unlike installed applications that typically load libraries from system directories, portable applications often load libraries from their local directory structure, creating opportunities for dll sideloading attacks. This issue highlights the importance of proper library loading practices and the need for developers to implement secure coding techniques that prioritize system directory searches over local directory searches. The vulnerability also underscores the broader problem of dll sideloading in the windows ecosystem where applications often fail to properly validate the authenticity and integrity of loaded libraries. Security practitioners should consider this vulnerability as part of a larger attack surface that includes other portable applications and tools that may be susceptible to similar attacks. The absence of vendor patches at the time of publication creates an urgent need for immediate defensive measures including network segmentation, monitoring for suspicious dll loading patterns, and implementing least privilege principles to limit the potential impact of successful exploitation. This vulnerability serves as a reminder of the critical importance of maintaining up-to-date security practices and the risks associated with using portable applications in enterprise environments without proper security controls.