CVE-2026-5525
Stack-Based Buffer Overflow in Notepad++ 8.9.3 Drop Handler
Publication date: 2026-04-10
Last updated on: 2026-04-10
Assigner: securin
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| notepad++ | notepad++ | 8.9.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack-based buffer overflow in Notepad++ version 8.9.3, specifically in the file drop handler component. When a user drags and drops a directory path that is exactly 259 characters long without a trailing backslash, the application tries to append a backslash and a null terminator to the path buffer without checking if there is enough space. This causes the program to write beyond the allocated buffer size, corrupting adjacent memory on the stack.
The overflow corrupts the stack, including security mechanisms like the /GS cookie, which triggers a security failure handler and causes the application to crash immediately with a STATUS_STACK_BUFFER_OVERRUN error.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition. When exploited, it causes Notepad++ to crash reliably due to the stack buffer overflow and subsequent security cookie failure.
Because the overflow corrupts stack memory, it could potentially lead to memory corruption issues, but the built-in security cookie prevents straightforward exploitation beyond causing a crash.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the crash condition on a system running Notepad++ version 8.9.3. Specifically, dropping a directory path of exactly 259 characters without a trailing backslash onto the Notepad++ window triggers the stack buffer overflow and causes the application to crash.
A proof-of-concept script named `poc_drop_overflow.py` is mentioned as a way to simulate dropping such a directory path to reliably reproduce the crash.
No specific network detection commands are provided, but detection involves observing Notepad++ crashes with the status code `0xC0000409` (STATUS_STACK_BUFFER_OVERRUN) when handling long directory paths.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Notepad++ to a version that includes the fix for this vulnerability.
The fix involves changes in the `dropFiles` function to properly handle long directory paths by using Unicode-aware functions and adding boundary checks before appending a trailing backslash and null terminator to the path buffer.
- Replace the ANSI `DragQueryFile` function with the Unicode `DragQueryFileW`.
- Initialize the path buffer with zeroes to avoid memory issues.
- Add a boundary check to ensure the path length plus one does not exceed `MAX_PATH` before appending a backslash.
Until the update is applied, avoid dragging and dropping directories with path lengths near 259 characters into Notepad++ to prevent triggering the crash.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.