CVE-2026-48770
Received Received - Intake
Buffer Overflow in Notepad++ via WM_COPYDATA Message

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* instead of enforcing COPYDATASTRUCT.cbData. This vulnerability is fixed in 8.9.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-48770
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
notepad++ notepad++ 8.9.6.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Notepad++ versions prior to 8.9.6.1. It allows a local process running in the same interactive Windows session to send a specially crafted WM_COPYDATA message to Notepad++ via the COPYDATA_FULL_CMDLINE path. The issue arises because Notepad++ processes the COPYDATASTRUCT.lpData as an unbounded NUL-terminated wide character string (wchar_t*) without properly enforcing the size specified in COPYDATASTRUCT.cbData. This improper handling can lead to unexpected behavior or exploitation.

Impact Analysis

The vulnerability has a CVSS v3.1 base score of 5.0, indicating a medium severity. It requires local access with low privileges and user interaction. While it does not impact confidentiality or integrity, it can cause a denial of service (availability impact) in Notepad++. This means an attacker could potentially crash or disrupt the Notepad++ application running in the same Windows session.

Mitigation Strategies

To mitigate this vulnerability, update Notepad++ to version 8.9.6.1 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart