EUVD-2025-18873

| CVE-2025-52939 CRITICAL
2025-06-23 [email protected]
Buffer Overflow
9.4
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:U/V:C/RE:M/U:Red
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
N

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:10 euvd
EUVD-2025-18873
Analysis Generated
Mar 15, 2026 - 22:10 vuln.today
CVE Published
Jun 23, 2025 - 10:15 nvd
CRITICAL 9.4

DescriptionNVD

Out-of-bounds Write vulnerability in dail8859 NotepadNext (src/lua/src modules). This vulnerability is associated with program files ldebug.C, lvm.C.

This issue affects NotepadNext: through v0.11.

AnalysisAI

CVE-2025-52939 is an out-of-bounds write vulnerability in the Lua interpreter modules (ldebug.c, lvm.c) bundled with NotepadNext through version 0.11, allowing local attackers without privileges to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. With a CVSS score of 9.4 and local attack vector requiring no user interaction, this represents a critical local privilege escalation and code execution risk; KEV status and active exploitation data are not confirmed in available intelligence, but the high CVSS and presence of affected interpreter code suggest this warrants immediate patching.

Technical ContextAI

NotepadNext bundles Lua interpreter code (CWE-787: Out-of-bounds Write) in its src/lua/src modules, specifically in ldebug.c and lvm.c—core components of the Lua virtual machine responsible for debugging and bytecode execution. CWE-787 occurs when software writes data beyond the boundaries of allocated memory structures, often leading to stack/heap corruption, control flow hijacking, and arbitrary code execution. The Lua VM processes bytecode and manages stack frames; a bounds check failure in these modules allows an attacker to overwrite adjacent memory regions (stack variables, function pointers, saved return addresses) with attacker-controlled data, achieving RCE. The vulnerability affects NotepadNext versions up to and including v0.11, indicating the vulnerable Lua code has not been patched in official releases.

RemediationAI

Immediate actions: (1) Upgrade NotepadNext to the latest patched version (beyond v0.11; check official NotepadNext GitHub releases for patch availability: https://github.com/dail8859/NotepadNext/releases). (2) If patched version unavailable, restrict NotepadNext execution to untrusted environments using OS-level sandboxing (AppArmor, SELinux, seccomp) or containerization (Docker with reduced capabilities). (3) Validate Lua bytecode: Disable or restrict Lua script execution in NotepadNext if not required; review any .lua files loaded by the application. (4) Monitor and audit local file access and process execution by NotepadNext; alert on unusual memory access patterns or child process creation. (5) Vendor coordination: Check NotepadNext official GitHub issues (https://github.com/dail8859/NotepadNext) for advisories, patch timelines, and backport availability for v0.11 branch. (6) Update Lua submodule: Ensure bundled Lua is updated to a patched upstream Lua version if vulnerability is confirmed in base Lua library.

Share

EUVD-2025-18873 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy