CVE-2026-6539
Format String Injection in Notepad++ via Malicious Language Pack
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| notepad-plus-plus | notepad++ | 8.9.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-134 | The product uses a function that accepts a format string as an argument, but the format string originates from an external source. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Notepad++ version 8.9.3 and involves a format string injection in the Find Results panel handler.
Attackers can craft a malicious nativeLang.xml language pack file that, when used, triggers format string interpretation during search operations.
This can cause denial of service and information disclosure by causing access violations and potentially leaking stack or register contents.
The malicious language pack can be distributed through community channels, making it possible for users to unknowingly trigger the vulnerability.
How can this vulnerability impact me? :
The vulnerability can lead to denial of service, causing the application to crash or become unusable.
It can also result in information disclosure by leaking sensitive data such as stack or register contents.
This could potentially expose internal application data or memory contents to an attacker.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the format string injection vulnerability in Notepad++ 8.9.3 (CVE-2026-6539) impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Notepad++ installation is a version prior to 8.9.4, as versions before this are affected by the format string injection vulnerability in the Find Results panel handler.
Specifically, detection involves verifying if any malicious or poisoned nativeLang.xml language pack files are present, as these files trigger the vulnerability when search operations are performed.
There are no explicit commands provided in the resources to detect the vulnerability or scan for malicious language packs.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Notepad++ to version 8.9.4 or later, as this version addresses the format string injection vulnerability (CVE-2026-6539) by fixing the crash issue related to the nativeLang.xml file.
Additionally, avoid using or installing untrusted or community-distributed nativeLang.xml language pack files to prevent exploitation.