CVE-2026-3008
Received Received - Intake
String Injection Vulnerability Causes Memory Disclosure and Crashes

Publication date: 2026-04-27

Last updated on: 2026-04-27

Assigner: CSA

Description
Successful exploitation of the string injection vulnerability could allow an attacker to obtain memory address information or crash the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3008
EUVD
EUVD-2026-25775
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
notepad++ notepad++ 8.9.3
notepad++ notepad++ 8.9.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-134 The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate and recommended mitigation step is to update Notepad++ to version 8.9.4 or later, which includes a security fix addressing this vulnerability.

Additional mitigation steps include:

  • Remove or replace any untrusted or suspicious nativeLang.xml localization files from the Notepad++ installation or configuration directories.
  • Avoid using untrusted or unofficial language packs that could contain malicious format strings.
  • Monitor Notepad++ behavior for crashes or abnormal memory disclosures during search operations and restrict usage until patched.
Executive Summary

CVE-2026-3008 is a format string injection vulnerability found in Notepad++ version 8.9.3. It arises from improper handling of attacker-controlled input in the nativeLang.xml language pack file, specifically in the <find-result-hits> attribute. The application uses this string as a format string argument in the Windows API function wsprintfW without validation. Because wsprintfW interprets format specifiers like %s and %x, an attacker can craft malicious format strings that cause unintended behavior.

This vulnerability can cause two main issues: first, it can crash Notepad++ reliably by causing access violations when wsprintfW tries to dereference invalid memory addresses. Second, it can leak sensitive memory information by printing stack and register contents in hexadecimal format in the Find Results panel. However, the vulnerability does not allow code execution because wsprintfW does not support the %n specifier, and the output buffer size limits prevent buffer overflow.

Impact Analysis

This vulnerability can impact users by allowing attackers to cause a denial of service (DoS) through reliable crashing of the Notepad++ application. This crash occurs when a malicious nativeLang.xml file containing crafted format strings is loaded and a search operation produces results.

Additionally, the vulnerability can lead to information disclosure by leaking sensitive memory contents such as stack and register data into the Find Results panel. This memory information could potentially aid attackers in further attacks or reconnaissance.

While the vulnerability does not allow direct code execution, the denial of service and information leakage can disrupt normal use of Notepad++ and expose sensitive internal memory data.

Detection Guidance

This vulnerability can be detected by checking if Notepad++ version 8.9.3 is installed and if the nativeLang.xml localization file contains malicious format string specifiers in the <find-result-hits> attribute. Specifically, a crafted nativeLang.xml file with format specifiers like "%s" or "%08lx" can trigger the vulnerability during search operations.

To detect exploitation attempts or presence of the vulnerability, you can look for crashes or abnormal behavior in Notepad++ when performing search operations such as "Find All in Current Document".

Suggested detection steps include:

  • Verify the Notepad++ version installed (should not be 8.9.3 vulnerable version). For example, run: `notepad++ --version` or check the About dialog.
  • Check for the presence of nativeLang.xml in the Notepad++ directory or in `%APPDATA%\Notepad++`.
  • Inspect the nativeLang.xml file for suspicious format specifiers in the <find-result-hits> attribute, e.g., using a command like `findstr /C:"%s" nativeLang.xml` on Windows or `grep "%s" nativeLang.xml` on Unix-like systems.
  • Monitor application logs or Windows Event Viewer for crashes related to Notepad++ during search operations.

Proof of concept involves replacing or modifying nativeLang.xml with malicious payloads and performing a search operation that triggers the crash or information leak.

Compliance Impact

The CVE-2026-3008 vulnerability in Notepad++ allows attackers to obtain memory address information or cause the application to crash through a format string injection flaw. This can lead to information disclosure of sensitive memory contents.

Such information disclosure vulnerabilities can potentially impact compliance with data protection regulations like GDPR or HIPAA if the leaked memory contains personal or sensitive data. Unauthorized access to memory contents may violate confidentiality requirements mandated by these standards.

However, the vulnerability does not allow code execution or direct data modification, limiting the scope of impact. Mitigation by updating to Notepad++ version 8.9.4 is recommended to address the issue and reduce compliance risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3008. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart