Skip to main content

Notepad++ CVE-2026-48770

| EUVDEUVD-2026-39908 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-26 GitHub_M
5.0
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
5.0 MEDIUM

Local IPC attack requires same-session process; low privileges suffice; impact is availability-only crash with no confirmed data disclosure.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 26, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 26, 2026 - 21:26 vuln.today
Analysis Generated
Jun 26, 2026 - 21:26 vuln.today

DescriptionCVE.org

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* instead of enforcing COPYDATASTRUCT.cbData. This vulnerability is fixed in 8.9.6.1.

AnalysisAI

Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via a malformed WM_COPYDATA message. The COPYDATA_FULL_CMDLINE handler in NppBigSwitch.cpp dereferences COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* without validating against the COPYDATASTRUCT.cbData length field, enabling an out-of-bounds read that results in process termination. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate top-level Windows handles
Delivery
Identify Notepad++ main window
Exploit
Craft WM_COPYDATA with malformed COPYDATA_FULL_CMDLINE lpData
Execution
Send message via SendMessage Win32 API
Persist
Out-of-bounds wchar_t* read triggered
Impact
Notepad++ process crashes (DoS, unsaved data lost)

Vulnerability AssessmentAI

Exploitation Exploitation requires a process running within the same interactive Windows desktop session as the target Notepad++ instance (AV:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.0 (Medium) reflects a local attack vector (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), and required user interaction (UI:R), with impact limited to availability (A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged process running in the same interactive Windows desktop session as Notepad++ enumerates top-level windows to locate the Notepad++ main window handle, then calls SendMessage with WM_COPYDATA, setting dwData to COPYDATA_FULL_CMDLINE and providing an lpData buffer that is not NUL-terminated within the cbData-specified length. Notepad++'s WM_COPYDATA handler reads the wchar_t* past the buffer boundary, triggering an access violation and crashing the editor, causing loss of any unsaved work. …
Remediation Upgrade Notepad++ to version 8.9.6.1, which is the vendor-released patch confirmed by GitHub Security Advisory GHSA-r39g-3mcw-xcg2 and commit f20a0888a92ce557a339b833cd9d9d8e97dc797d. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48770 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy