CVE-2019-9116
Description
DLL hijacking is possible in Sublime Text 3 version 3.1.1 build 3176 on 32-bit Windows platforms because a Trojan horse api-ms-win-core-fibers-l1-1-1.dll or api-ms-win-core-localization-l1-2-1.dll file may be loaded if a victim uses sublime_text.exe to open a .txt file within an attacker's %LOCALAPPDATA%\Temp\sublime_text folder. NOTE: the vendor's position is "This does not appear to be a bug with Sublime Text, but rather one with Windows that has been patched.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: = 3.1.1 build 3176
- Range: = 3.1.1 build 3176
Patches
Vulnerability mechanics
Root cause
"Sublime Text 3 uses an insecure DLL search order that allows a malicious DLL placed in the %LOCALAPPDATA%\Temp\sublime_text folder to be loaded instead of the legitimate system DLL."
Attack vector
An attacker with local access creates a folder at %LOCALAPPDATA%\Temp\sublime_text and places a Trojan horse api-ms-win-core-fibers-l1-1-1.dll or api-ms-win-core-localization-l1-2-1.dll inside it. The attacker also creates a test.txt file in the same folder. When the victim opens that .txt file with sublime_text.exe, the application loads the malicious DLL from the Temp folder instead of the legitimate system DLL, allowing arbitrary code execution in the context of the user running Sublime Text [ref_id=1].
Affected code
The vulnerability involves the way Sublime Text 3 (build 3176, 32-bit) resolves DLL dependencies at startup. The issue is not in a specific source file but in the application's DLL search order, which allows a malicious DLL placed in the %LOCALAPPDATA%\Temp\sublime_text folder to be loaded before the legitimate system DLL [ref_id=1].
What the fix does
No patch has been published by Sublime Text for this issue. The vendor's position is that this is a Windows DLL search-order behavior that Microsoft has already patched, rather than a bug in Sublime Text itself. The advisory does not provide any remediation guidance beyond noting the Windows-level fix [ref_id=1].
Preconditions
- authAttacker must have write access to the victim's %LOCALAPPDATA% older to create the Temp older and place files
- inputVictim must open a .txt file located in the attacker-created %LOCALAPPDATA% older using sublime_text.exe
- configVulnerable only on 32-bit Windows platforms (Windows 7 SP1 32-bit confirmed)
- networkAttacker must be on the same local system as the victim
Reproduction
1. Create the folder C:\Users\username\AppData\Local\Temp\sublime_text. 2. Place a Trojan horse api-ms-win-core-fibers-l1-1-1.dll or api-ms-win-core-localization-l1-2-1.dll into that folder. 3. Create a file named test.txt in the same folder. 4. Open test.txt using sublime_text.exe. The malicious DLL will be loaded, executing arbitrary code (e.g., launching calc.exe) [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/SublimeTextIssues/Core/issues/2544mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.