Description
A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checking, resulting in a stack buffer overflow and application crash (STATUS_STACK_BUFFER_OVERRUN).
Published: 2026-04-10
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A stack-based buffer overflow exists in Notepad++ 8.9.3’s file drop handler, triggered when a user drags and drops a directory path of exactly 259 characters without a trailing backslash. The application appends a backslash and null terminator without performing bounds checking, causing a stack overflow that leads to process termination (STATUS_STACK_BUFFER_OVERRUN). This results in a denial‑of‑service condition, allowing an attacker to crash Notepad++ when they control the path length and can execute the drop.

Affected Systems

The vulnerability affects the Notepad++ project’s product, Notepad++. Only version 8.9.3 is known to be impacted; later releases have reportedly patched the flaw.

Risk and Exploitability

The CVSS score of 6.0 indicates moderate severity, and the EPSS value is not available. The defect is not listed in the CISA KEV catalog and appears to be exploitable only by local users able to perform a drag‑and‑drop operation. Consequently, the primary risk is a local denial of service to anyone operating Notepad++ on the affected system.

Generated by OpenCVE AI on April 10, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Notepad++ release that contains the buffer overflow fix.
  • Until the patch is applied, avoid dragging directories with a 259‑character path into Notepad++.
  • Verify the installation of the updated version to ensure the vulnerability is mitigated.

Generated by OpenCVE AI on April 10, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Notepad++
Notepad++ notepad++
Notepad-plus-plus
Notepad-plus-plus notepad++
Vendors & Products Notepad++
Notepad++ notepad++
Notepad-plus-plus
Notepad-plus-plus notepad++

Fri, 10 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checking, resulting in a stack buffer overflow and application crash (STATUS_STACK_BUFFER_OVERRUN).
Title Stack-Based Buffer Overflow in Notepad++ File Drop Handler leads to DoS
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Notepad++ Notepad++
Notepad-plus-plus Notepad++
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-04-10T12:49:59.124Z

Reserved: 2026-04-04T05:59:46.561Z

Link: CVE-2026-5525

cve-icon Vulnrichment

Updated: 2026-04-10T12:49:44.644Z

cve-icon NVD

Status : Received

Published: 2026-04-10T08:16:26.067

Modified: 2026-04-10T13:16:45.940

Link: CVE-2026-5525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T14:40:55Z

Weaknesses