Notepad3
CVE-2026-38972
HIGH
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local DLL planting (AV:L) with trivial complexity (AC:L), no prior privileges but victim must open the About dialog (UI:R); loaded code inherits full user-context C/I/A impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Notepad3 through 6.25.822.1 contains a DLL search-order hijacking vulnerability in the About-dialog code path in src/Notepad3.c. The application calls LoadLibrary(L"MSFTEDIT.DLL") with a bare DLL name, which allows a local attacker to place a malicious MSFTEDIT.DLL in the application directory or another preferred DLL search location and achieve arbitrary code execution in the context of the user when the About dialog is opened.
AnalysisAI
Local code execution in Notepad3 (versions through 6.25.822.1) arises from an insecure LoadLibrary(L"MSFTEDIT.DLL") call in the About-dialog path within src/Notepad3.c. Because the DLL is loaded by bare name, an attacker who can drop a malicious MSFTEDIT.DLL into the application directory or an earlier search-order location runs arbitrary code as the current user once that user opens the About dialog. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the attacker having write access to the Notepad3 application directory or an earlier entry in the Windows DLL search order relative to Notepad3.exe, into which a malicious file named exactly MSFTEDIT.DLL is placed; and (2) the victim user subsequently opening the About dialog in Notepad3, which triggers the vulnerable LoadLibrary(L"MSFTEDIT.DLL") call. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 7.8 High) correctly reflects a local attack vector requiring user interaction (opening the About dialog) but no prior privileges, yielding full confidentiality, integrity, and availability impact at the user's privilege level. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker delivers or drops a malicious MSFTEDIT.DLL into a directory from which the victim runs Notepad3.exe - for example bundling it alongside a portable Notepad3 copy on a shared drive or in the user's Downloads folder. When the victim later opens Help → About in Notepad3, the planted DLL is loaded instead of the System32 copy and the attacker's code executes with the victim's privileges. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - the corrective change is tracked in https://github.com/rizonesoft/Notepad3/pull/5606 against issue https://github.com/rizonesoft/Notepad3/issues/5605, but no tagged release version is present in the provided data, so upgrade to the first Notepad3 build that incorporates PR #5606 (verify at https://github.com/rizonesoft/Notepad3). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory Notepad3 installations across the organization using asset management and endpoint detection tools; assess the scope and criticality of Notepad3 usage. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A vulnerability, which was classified as problematic, was found in Rizone Soft Notepad3 1.0.2.350. Rated medium severity
Out-of-bounds read vulnerability in Notepad3's Oniguruma regex engine (regcomp.C) allows local attackers with user inter
Same weakness CWE-427 – Uncontrolled Search Path Element
View allShare
External POC / Exploit Code
Leaving vuln.today