CVE-2026-4744
Received Received - Intake
Out-of-Bounds Read in Notepad3 Scintilla Module

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
Out-of-bounds Read vulnerability in rizonesoft Notepad3 (β€Žscintilla/oniguruma/src modules). This vulnerability is associated with program files regcomp.Cβ€Ž. This issue affects Notepad3: before 6.25.714.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4744
EUVD
EUVD-2026-14702
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rizonesoft notepad3 to 6.25.714.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds read issue found in the rizonesoft Notepad3 software, specifically in the program files related to the regcomp.C module which involves regular expression compilation.

The problem originated from a function called compile_string_node(), which was cloned from the Oniguruma regular expression library but had not received a critical security patch that was applied in the original PHP source code. This led to a heap buffer overflow vulnerability in multibyte regular expression functions.

The vulnerability was fixed by applying the same patch from the PHP source repository to the cloned function in Notepad3, eliminating the security risk.

Impact Analysis

This vulnerability can lead to a heap buffer overflow, which may allow an attacker to read memory outside the intended bounds.

Such an out-of-bounds read can cause application crashes, data leakage, or potentially allow an attacker to execute arbitrary code depending on the context and exploitation.

Given the high CVSS score of 9.3, this indicates a severe impact with local attack vector and requires user interaction, but can lead to significant confidentiality, integrity, and availability impacts.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update Notepad3 to version 6.25.714.1 or later, where the security fix has been applied.

The fix involves applying a security patch to the function compile_string_node(), which addresses a heap buffer overflow vulnerability in the multibyte regular expression functions.

Ensuring your Notepad3 installation is updated to the patched version will eliminate the security risk associated with this out-of-bounds read vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart