Skip to main content

Notepad3 CVE-2026-38972

HIGH
Uncontrolled Search Path Element (CWE-427)
2026-07-02 cve@mitre.org
7.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local DLL planting (AV:L) with trivial complexity (AC:L), no prior privileges but victim must open the About dialog (UI:R); loaded code inherits full user-context C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 06, 2026 - 16:24 vuln.today
CVSS changed
Jul 06, 2026 - 16:22 NVD
7.8 (HIGH)
CVE Published
Jul 02, 2026 - 21:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Notepad3 through 6.25.822.1 contains a DLL search-order hijacking vulnerability in the About-dialog code path in src/Notepad3.c. The application calls LoadLibrary(L"MSFTEDIT.DLL") with a bare DLL name, which allows a local attacker to place a malicious MSFTEDIT.DLL in the application directory or another preferred DLL search location and achieve arbitrary code execution in the context of the user when the About dialog is opened.

AnalysisAI

Local code execution in Notepad3 (versions through 6.25.822.1) arises from an insecure LoadLibrary(L"MSFTEDIT.DLL") call in the About-dialog path within src/Notepad3.c. Because the DLL is loaded by bare name, an attacker who can drop a malicious MSFTEDIT.DLL into the application directory or an earlier search-order location runs arbitrary code as the current user once that user opens the About dialog. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain write access to Notepad3 app/search-path directory
Delivery
Plant malicious MSFTEDIT.DLL
Exploit
Victim opens About dialog
Execution
LoadLibrary loads attacker DLL
Impact
Arbitrary code executes as user

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the attacker having write access to the Notepad3 application directory or an earlier entry in the Windows DLL search order relative to Notepad3.exe, into which a malicious file named exactly MSFTEDIT.DLL is placed; and (2) the victim user subsequently opening the About dialog in Notepad3, which triggers the vulnerable LoadLibrary(L"MSFTEDIT.DLL") call. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 7.8 High) correctly reflects a local attack vector requiring user interaction (opening the About dialog) but no prior privileges, yielding full confidentiality, integrity, and availability impact at the user's privilege level. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker delivers or drops a malicious MSFTEDIT.DLL into a directory from which the victim runs Notepad3.exe - for example bundling it alongside a portable Notepad3 copy on a shared drive or in the user's Downloads folder. When the victim later opens Help → About in Notepad3, the planted DLL is loaded instead of the System32 copy and the attacker's code executes with the victim's privileges. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the corrective change is tracked in https://github.com/rizonesoft/Notepad3/pull/5606 against issue https://github.com/rizonesoft/Notepad3/issues/5605, but no tagged release version is present in the provided data, so upgrade to the first Notepad3 build that incorporates PR #5606 (verify at https://github.com/rizonesoft/Notepad3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory Notepad3 installations across the organization using asset management and endpoint detection tools; assess the scope and criticality of Notepad3 usage. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-38972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy