CVE-2026-2040 ‒ PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
Authored by:
Metrics: cve.org
Description
The TrackerUpdate process loads libraries from an unsecured location, leading to privilege escalation.
Vulnerability
We found a vulnerability in the TrackUpdate process that allows an attacker to load a DLL into the process. This vulnerability can be leveraged to escalate privileges and execute code in the context of another user on the system.
We reported this vulnerability to the Zero Day Initiative, which then handled the disclosure to the vendor.
Mitigations
Update to the latest release (fixed in version 10.7.3.401).
Timeline
| Date | Action |
|---|---|
| 21.07.2025 | Vulnerability found by Neodyme |
| 16.09.2025 | Vulnerability reported to vendor |
| 19.02.2026 | Coordinated public release of advisory |
References
Share: