CVE-2026-48770
Analyzed Analyzed - Analysis Complete

Buffer Overflow in Notepad++ via WM_COPYDATA Message

Vulnerability report for CVE-2026-48770, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* instead of enforcing COPYDATASTRUCT.cbData. This vulnerability is fixed in 8.9.6.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-29
Generated
2026-07-17
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
notepad-plus-plus notepad++ to 8.9.6.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Notepad++ versions prior to 8.9.6.1. It allows a local process running in the same interactive Windows session to send a specially crafted WM_COPYDATA message to Notepad++ via the COPYDATA_FULL_CMDLINE path. The issue arises because Notepad++ processes the COPYDATASTRUCT.lpData as an unbounded NUL-terminated wide character string (wchar_t*) without properly enforcing the size specified in COPYDATASTRUCT.cbData. This improper handling can lead to unexpected behavior or exploitation.

Impact Analysis

The vulnerability has a CVSS v3.1 base score of 5.0, indicating a medium severity. It requires local access with low privileges and user interaction. While it does not impact confidentiality or integrity, it can cause a denial of service (availability impact) in Notepad++. This means an attacker could potentially crash or disrupt the Notepad++ application running in the same Windows session.

Mitigation Strategies

To mitigate this vulnerability, update Notepad++ to version 8.9.6.1 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart