CVE-2026-3008
String Injection Vulnerability Causes Memory Disclosure and Crashes
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: CSA
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| notepad++ | notepad++ | 8.9.3 |
| notepad++ | notepad++ | 8.9.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-134 | The product uses a function that accepts a format string as an argument, but the format string originates from an external source. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update Notepad++ to version 8.9.4 or later, which includes a security fix addressing this vulnerability.
Additional mitigation steps include:
- Remove or replace any untrusted or suspicious nativeLang.xml localization files from the Notepad++ installation or configuration directories.
- Avoid using untrusted or unofficial language packs that could contain malicious format strings.
- Monitor Notepad++ behavior for crashes or abnormal memory disclosures during search operations and restrict usage until patched.
Can you explain this vulnerability to me?
CVE-2026-3008 is a format string injection vulnerability found in Notepad++ version 8.9.3. It arises from improper handling of attacker-controlled input in the nativeLang.xml language pack file, specifically in the <find-result-hits> attribute. The application uses this string as a format string argument in the Windows API function wsprintfW without validation. Because wsprintfW interprets format specifiers like %s and %x, an attacker can craft malicious format strings that cause unintended behavior.
This vulnerability can cause two main issues: first, it can crash Notepad++ reliably by causing access violations when wsprintfW tries to dereference invalid memory addresses. Second, it can leak sensitive memory information by printing stack and register contents in hexadecimal format in the Find Results panel. However, the vulnerability does not allow code execution because wsprintfW does not support the %n specifier, and the output buffer size limits prevent buffer overflow.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to cause a denial of service (DoS) through reliable crashing of the Notepad++ application. This crash occurs when a malicious nativeLang.xml file containing crafted format strings is loaded and a search operation produces results.
Additionally, the vulnerability can lead to information disclosure by leaking sensitive memory contents such as stack and register data into the Find Results panel. This memory information could potentially aid attackers in further attacks or reconnaissance.
While the vulnerability does not allow direct code execution, the denial of service and information leakage can disrupt normal use of Notepad++ and expose sensitive internal memory data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if Notepad++ version 8.9.3 is installed and if the nativeLang.xml localization file contains malicious format string specifiers in the <find-result-hits> attribute. Specifically, a crafted nativeLang.xml file with format specifiers like "%s" or "%08lx" can trigger the vulnerability during search operations.
To detect exploitation attempts or presence of the vulnerability, you can look for crashes or abnormal behavior in Notepad++ when performing search operations such as "Find All in Current Document".
Suggested detection steps include:
- Verify the Notepad++ version installed (should not be 8.9.3 vulnerable version). For example, run: `notepad++ --version` or check the About dialog.
- Check for the presence of nativeLang.xml in the Notepad++ directory or in `%APPDATA%\Notepad++`.
- Inspect the nativeLang.xml file for suspicious format specifiers in the <find-result-hits> attribute, e.g., using a command like `findstr /C:"%s" nativeLang.xml` on Windows or `grep "%s" nativeLang.xml` on Unix-like systems.
- Monitor application logs or Windows Event Viewer for crashes related to Notepad++ during search operations.
Proof of concept involves replacing or modifying nativeLang.xml with malicious payloads and performing a search operation that triggers the crash or information leak.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-3008 vulnerability in Notepad++ allows attackers to obtain memory address information or cause the application to crash through a format string injection flaw. This can lead to information disclosure of sensitive memory contents.
Such information disclosure vulnerabilities can potentially impact compliance with data protection regulations like GDPR or HIPAA if the leaked memory contains personal or sensitive data. Unauthorized access to memory contents may violate confidentiality requirements mandated by these standards.
However, the vulnerability does not allow code execution or direct data modification, limiting the scope of impact. Mitigation by updating to Notepad++ version 8.9.4 is recommended to address the issue and reduce compliance risks.