Skip to main content

Notepad++ EUVDEUVD-2026-39906

| CVE-2026-52885 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-26 GitHub_M
7.5
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.7 MEDIUM

Local file-swap race (AV:L/AC:H); attacker needs write access to the victim's config file (PR:L) and the user must trigger a command (UI:R); full command execution gives C/I/A High.

3.1 AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 26, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 26, 2026 - 21:22 vuln.today
Analysis Generated
Jun 26, 2026 - 21:22 vuln.today

DescriptionCVE.org

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-memory _userCommands vector, which is populated at application startup and never re-synchronized with the on-disk file (Time-of-Use). Swapping shortcuts.xml between startup and command execution causes the HMAC check to validate a clean file while a malicious command runs. An attacker with write access to shortcuts.xml places a malicious version on disk before launch, then immediately restores the legitimate file. The HMAC check at execution time validates the restored legitimate file (check passes), while the malicious payload executes from memory. This vulnerability is fixed in 8.9.6.4.

AnalysisAI

Local code execution in Notepad++ before 8.9.6.4 stems from a time-of-check/time-of-use race in NppCommands.cpp: the integrity HMAC of shortcuts.xml is verified against the on-disk file when a command fires, but the command payload is read from the _userCommands vector loaded at startup and never re-synced with disk. An attacker with write access to shortcuts.xml can plant a malicious version before launch and restore the legitimate file afterward, so the runtime HMAC check passes on the clean file while the malicious in-memory command executes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain write access to shortcuts.xml
Delivery
Plant malicious shortcuts.xml pre-launch
Exploit
Notepad++ loads tampered commands into memory
Execution
Restore legitimate file on disk
Persist
User fires command, HMAC validates clean file
Impact
Malicious in-memory command executes

Vulnerability AssessmentAI

Exploitation Requires local write access to the on-disk shortcuts.xml file and the ability to win a timing race: the attacker must place the malicious shortcuts.xml before Notepad++ startup (when _userCommands is populated) and restore the legitimate file before the command-time HMAC check executes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H, base 7.5) correctly reflects a local-only attack with high complexity due to the race window, but high impact to confidentiality, integrity and availability since arbitrary user commands run. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already has write access to a victim's shortcuts.xml (for example via a prior low-privilege foothold or a writable shared profile path) replaces the file with one defining a malicious command, then restores the legitimate file once Notepad++ has loaded the tampered commands into memory. When the user triggers the affected command, the runtime HMAC check validates the restored clean file and passes, while the attacker's command executes from memory. …
Remediation Vendor-released patch: upgrade Notepad++ to 8.9.6.4 or later, which caches the shortcuts.xml HMAC at startup (Parameters.cpp) and compares the cached load-time value instead of recomputing it at command time, eliminating the swap window; see advisory https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-qm4c-qg8p-qfcr and commit 4f7563c7c7f8ffa0d795ec86a7777067c7d644b5. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Notepad++ versions prior to 8.9.6.4; assess exposure on multi-user and shared systems where configuration write access is feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy