Skip to main content

Notepad CVE-2026-5525

| EUVDEUVD-2026-21334 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-04-10 securin GHSA-8hrp-2fqv-gvrx
6.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 10, 2026 - 08:15 euvd
EUVD-2026-21334
Analysis Generated
Apr 10, 2026 - 08:15 vuln.today
CVE Published
Apr 10, 2026 - 07:40 nvd
MEDIUM 6.0

DescriptionCVE.org

A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checking, resulting in a stack buffer overflow and application crash (STATUS_STACK_BUFFER_OVERRUN).

AnalysisAI

Stack-based buffer overflow in Notepad++ 8.9.3 file drop handler allows local authenticated users to cause application crash and potentially execute code by dragging and dropping a directory path of exactly 259 characters without a trailing backslash, triggering unbounded buffer write via automatic backslash and null terminator appending. CVSS 6.0 (High) reflects local attack vector and high complexity; no public exploit code or active KEV status identified, but upstream fix is confirmed available.

Technical ContextAI

The vulnerability exists in Notepad++'s drag-and-drop file handler, which processes directory paths without proper bounds validation before appending path separators and null terminators to a fixed-size stack buffer. The 259-character path length represents a critical boundary condition-likely related to MAX_PATH (260 on Windows) minus one-where the automatic appending of a backslash and null terminator exceeds the buffer's allocated size. This is a classic stack-based buffer overflow (CWE-121: Stack-based Buffer Overflow). The Notepad++ project CPE indicates all versions in the 8.x series are potentially affected, though the issue is specifically confirmed in 8.9.3. The vulnerability requires user interaction (drag-and-drop UI action) and local system access, limiting remote exploitation potential.

RemediationAI

Users should upgrade to a patched version released after commit bfe7514d68bc559534c046c4ef2d1865267aa2b0 (available at https://github.com/notepad-plus-plus/notepad-plus-plus/pull/17930). The exact patched release version is not explicitly confirmed in the provided data, but the pull request and commit indicate the fix is integrated upstream; check the official Notepad++ releases page for the earliest version incorporating this commit (typically the next minor or patch release after 8.9.3). As a workaround, avoid dragging and dropping directory paths longer than 257 characters into Notepad++, or ensure paths include a trailing backslash. Administrators managing shared systems should deploy the patched version as soon as it becomes generally available.

CVE-2014-9456 CRITICAL POC
10.0 Jan 02

Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Ev

CVE-2025-15556 HIGH
7.5 Feb 03

Notepad++ versions prior to 8.8.9 contain an update integrity verification vulnerability (CVE-2025-15556) when using the

CVE-2023-47452 HIGH POC
7.8 Nov 30

An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msim

CVE-2023-40031 HIGH POC
7.8 Aug 25

Notepad++ is a free and open-source source code editor. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-32168 HIGH POC
7.8 Sep 28

Notepad++ versions 8.4.1 and before are vulnerable to DLL hijacking where an attacker can replace the vulnerable dll (Ux

CVE-2019-16294 HIGH POC
7.8 Sep 14

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode ch

CVE-2026-3008 MEDIUM POC
6.6 Apr 27

String injection in Notepad++ 8.9.3 leads to memory address disclosure or application crash when processing maliciously

CVE-2022-31902 MEDIUM POC
5.5 Feb 01

Notepad++ v8.4.1 was discovered to contain a stack overflow via the component Finder::add(). Rated medium severity (CVSS

CVE-2023-40166 MEDIUM POC
5.5 Aug 25

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authe

CVE-2023-40164 MEDIUM POC
5.5 Aug 25

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authe

CVE-2023-40036 MEDIUM POC
5.5 Aug 25

Notepad++ is a free and open-source source code editor. Rated medium severity (CVSS 5.5), this vulnerability is no authe

CVE-2023-0909 MEDIUM POC
5.5 Feb 18

A vulnerability, which was classified as problematic, was found in cxasm notepad-- 1.22. Rated medium severity (CVSS 5.5

Share

CVE-2026-5525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy