Security News Notepad++ Vulnerability Allows Attackers to Crash Application, Leak Memory Data

Parkinsond

Parkinsond

Level 63
Thread author
Verified
Top Poster
Well-known
Dec 6, 2023
5,040
15,162
6,169
Content source
https://cybersecuritynews.com/notepad-vulnerability-crash/
A security vulnerability has been identified in Notepad++, one of the most widely used open-source text editors among developers and IT professionals.

The vulnerability CVE-2026-3008, which could allow a remote attacker to crash the application or extract sensitive memory address information from affected systems.

The vulnerability is a string injection flaw located within the FindInFiles functionality of Notepad++. Specifically, the issue arises when the nativeLang.xml configuration file’s "find-result-hits" field contains a "%s" format specifier, triggering unexpected behavior during search operations.

This type of vulnerability can lead to improper memory handling, enabling threat actors to either cause a denial-of-service (DoS) condition by crashing the application or gather memory address information that could be leveraged in further exploitation attempts.

The Notepad++ Product Owner Mr Hazley Samsudin, has responded promptly by releasing version 8.9.4, which directly addresses both CVE-2026-3008 and CVE-2026-6539.

cybersecuritynews.com

Notepad++ Vulnerability Allows Attackers to Crash Application, Leak Memory Data

A security vulnerability has been identified in Notepad++, one of the most widely used open-source text editors among developers and IT professionals.
cybersecuritynews.com cybersecuritynews.com
Click to expand...
 
  • Like
  • +Reputation
  • Thanks
Reactions: Brownie2019, Captain Awesome, lokamoka820 and 6 others

Affected Version

The vulnerability specifically affects:
  • Notepad++ version 8.9.3
Users running earlier versions should assume they are equally at risk and apply the available patch without delay.

Patch Released

The Notepad++ Product Owner Mr Hazley Samsudin, has responded promptly by releasing version 8.9.4, which directly addresses both CVE-2026-3008 and CVE-2026-6539.
Click to expand...
 
  • Like
Reactions: lokamoka820, Marko :), Khushal and 1 other person
I use Notepad++ like others — been using it for years. After reading the comments, I checked the alternatives and noted:

1. The six-month supply-chain attack has been attributed to a nation-state, which targeted a FREE tool popular among people who hold VERY valuable secrets. It lasted six months because only a small number of people were affected, so it wasn’t obvious. The attackers compromised the hosting provider’s infrastructure and exploited weak code signing and verification. Part of the code-signing problem was the developer having trouble getting a signing certificate; the old CA decided an individual open-source developer was no longer worth the risk.

2. THIS vulnerability only affected people who use language packs OTHER than English and who downloaded them from NON-OFFICIAL sources (like from the community members). See the CVE details on GitHub. Even if I hadn’t updated, I wouldn’t have been affected.

3. The vulnerability was reported to CSA and then forwarded to Notepad++ on April 16; the fix was released on April 26 at 13:37 UTC — less than 11 days after the developer was notified.

Those points may be my rationalization why I’m not switching (really, there’s no easy way out), but I’ll say this: because it’s such a useful and free tool for tech people, it’s become a more valuable target. Options to reduce risk include using a less popular editor or a paid one that you hope — sometimes unrealistically — has better security.

Meanwhile, we can buy the developer another cup of coffee, for the 💖he put into the project.
 
  • Like
Reactions: lokamoka820, Khushal, SeriousHoax and 1 other person
lokamoka820 said:
I tested about ten options, and the two that I can suggest are Notepad 3 (which is built on the Scintilla platform that Notepad++ is based on) and Sublime Text.
Click to expand...
Notepad4 is the fastest one but it doesn't have a complete dark theme; I mean the top part of the UI is not dark. But neither Notepad3 or Notepad4 has tab support.
github.com

GitHub - zufuliu/notepad4: Notepad4 (Notepad2⨯2, Notepad2++) is a light-weight Scintilla based text editor for Windows with syntax highlighting, code folding, auto-completion and API list for many programming languages and documents, bundled with fil

Notepad4 (Notepad2⨯2, Notepad2++) is a light-weight Scintilla based text editor for Windows with syntax highlighting, code folding, auto-completion and API list for many programming languages and d...
github.com github.com
 
  • Like
Reactions: Wrecker4923, Khushal and lokamoka820
SeriousHoax said:
Notepad4 is the fastest one but it doesn't have a complete dark theme; I mean the top part of the UI is not dark. But neither Notepad3 or Notepad4 has tab support.
github.com

GitHub - zufuliu/notepad4: Notepad4 (Notepad2⨯2, Notepad2++) is a light-weight Scintilla based text editor for Windows with syntax highlighting, code folding, auto-completion and API list for many programming languages and documents, bundled with fil

Notepad4 (Notepad2⨯2, Notepad2++) is a light-weight Scintilla based text editor for Windows with syntax highlighting, code folding, auto-completion and API list for many programming languages and d...
github.com github.com
Click to expand...
Since this is the only problem I have with Notepad3, my default text editor is Sublime Text. EditPad Lite is also available, but since it has a pro version, I believe that users will eventually discover limitations that I haven't yet.
 
  • Like
Reactions: Khushal

You may also like...