CVE-2026-5525
Analyzed Analyzed - Analysis Complete
Stack-Based Buffer Overflow in Notepad++ 8.9.3 Drop Handler

Publication date: 2026-04-10

Last updated on: 2026-06-05

Assigner: securin

Description
A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checking, resulting in a stack buffer overflow and application crash (STATUS_STACK_BUFFER_OVERRUN).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-06-05
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5525
EUVD
EUVD-2026-21334
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
notepad-plus-plus notepad++ 8.9.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stack-based buffer overflow in Notepad++ version 8.9.3, specifically in the file drop handler component. When a user drags and drops a directory path that is exactly 259 characters long without a trailing backslash, the application tries to append a backslash and a null terminator to the path buffer without checking if there is enough space. This causes the program to write beyond the allocated buffer size, corrupting adjacent memory on the stack.

The overflow corrupts the stack, including security mechanisms like the /GS cookie, which triggers a security failure handler and causes the application to crash immediately with a STATUS_STACK_BUFFER_OVERRUN error.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. When exploited, it causes Notepad++ to crash reliably due to the stack buffer overflow and subsequent security cookie failure.

Because the overflow corrupts stack memory, it could potentially lead to memory corruption issues, but the built-in security cookie prevents straightforward exploitation beyond causing a crash.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the crash condition on a system running Notepad++ version 8.9.3. Specifically, dropping a directory path of exactly 259 characters without a trailing backslash onto the Notepad++ window triggers the stack buffer overflow and causes the application to crash.

A proof-of-concept script named `poc_drop_overflow.py` is mentioned as a way to simulate dropping such a directory path to reliably reproduce the crash.

No specific network detection commands are provided, but detection involves observing Notepad++ crashes with the status code `0xC0000409` (STATUS_STACK_BUFFER_OVERRUN) when handling long directory paths.

Mitigation Strategies

The immediate mitigation step is to update Notepad++ to a version that includes the fix for this vulnerability.

The fix involves changes in the `dropFiles` function to properly handle long directory paths by using Unicode-aware functions and adding boundary checks before appending a trailing backslash and null terminator to the path buffer.

  • Replace the ANSI `DragQueryFile` function with the Unicode `DragQueryFileW`.
  • Initialize the path buffer with zeroes to avoid memory issues.
  • Add a boundary check to ensure the path length plus one does not exceed `MAX_PATH` before appending a backslash.

Until the update is applied, avoid dragging and dropping directories with path lengths near 259 characters into Notepad++ to prevent triggering the crash.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart