Description
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* instead of enforcing COPYDATASTRUCT.cbData. This vulnerability is fixed in 8.9.6.1.
Published: 2026-06-26
Score: 5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Notepad++ is vulnerable to a local denial‑of‑service that can be triggered by a process in the same interactive Windows session. By sending a malformed WM_COPYDATA message through the COPYDATA_FULL_CMDLINE path, the handler interprets the data buffer as an unbounded NUL‑terminated wide string, ignoring the declared size in the COPYDATASTRUCT.cbData field. This buffer over‑read flaw, identified by CWE‑125, causes the application to crash when it attempts to process the malformed input.

Affected Systems

All versions of Notepad++ released prior to 8.9.6.1 on Windows are affected. The issue was fixed in version 8.9.6.1 and later, so any installation that has not been updated to that revision remains vulnerable.

Risk and Exploitability

The CVSS score of 5.0 indicates a moderate severity. Because the exploit requires a local process able to send WM_COPYDATA in the same user session, remote attackers cannot leverage this flaw directly. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation is currently unlikely but the risk to any machine running an outdated version remains real.

Generated by OpenCVE AI on June 26, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Notepad++ version 8.9.6.1 or later to apply the fix that enforces the COPYDATASTRUCT.cbData field.
  • If an immediate update is not possible, disable any third‑party plugin or feature that exposes the COPYDATA_FULL_CMDLINE interface in Notepad++.
  • Restrict local processes from sending WM_COPYDATA messages to Notepad++ by applying local group policy restrictions or application whitelisting to block the SendMessage call with WM_COPYDATA.

Generated by OpenCVE AI on June 26, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* instead of enforcing COPYDATASTRUCT.cbData. This vulnerability is fixed in 8.9.6.1.
Title Notepad++ WM_COPYDATA COPYDATA_FULL_CMDLINE local DoS crash
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T20:22:17.683Z

Reserved: 2026-05-22T19:39:05.356Z

Link: CVE-2026-48770

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:30:04Z

Weaknesses