Back

Critical DoS Vulnerability in Notepad++ Exposes Users to Attacks

Severity: Medium (Score: 57.8)

Sources: attack.mitre.org, nvd.nist.gov, Securin

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: stack-based, buffer, overflow, notepad, file, drop, handler

Severity indicators: buffer overflow, ot

Summary

A stack-based buffer overflow vulnerability (CVE-2026-5525) has been identified in Notepad++ version 8.9.3. This flaw occurs when a user drops a directory path of 259 characters onto the application, causing a stack buffer overflow and resulting in a denial of service (DoS). The vulnerability was reproduced in a sandboxed environment and requires only LAN or WiFi adjacency to exploit. The issue arises from inadequate bounds checking when appending a backslash and null terminator to the buffer. The vulnerability was remediated by implementing proper bounds validation. Users are advised to update to the latest version to mitigate risks. This incident highlights the potential for exploitation in widely-used applications, affecting numerous users globally. Key Points: • CVE-2026-5525 is a critical stack-based buffer overflow in Notepad++ 8.9.3. • Exploitation leads to denial of service, requiring only local network access. • Users should update to the latest version to mitigate the vulnerability.

Detailed Analysis

**Impact** Users of Notepad++ version 8.9.3 are affected by a stack-based buffer overflow vulnerability that causes application crashes, resulting in denial of service. The issue impacts endpoint availability on systems where Notepad++ is installed, potentially disrupting workflows that rely on this text editor. The vulnerability requires LAN or WiFi adjacency, limiting exploitation to local or network-adjacent attackers. No data exfiltration or compromise beyond service disruption has been reported. **Technical Details** The vulnerability (CVE-2026-5525) is a stack-based buffer overflow in the file drop handler triggered by dragging and dropping a directory path of exactly 259 characters without a trailing backslash. The application appends a backslash and null terminator without proper bounds checking, causing a STATUS_STACK_BUFFER_OVERRUN (0xC0000409) and crashing the application. Exploitation results in endpoint denial of service (MITRE ATT&CK T1499) and requires user interaction with the file drop feature. No malware or additional infrastructure details were reported. **Recommended Response** Apply the vendor-provided patch that adds proper bounds validation before appending characters to the buffer in Notepad++ version 8.9.3. Monitor for unusual application crashes related to file drop operations. Restrict network access to trusted users to reduce LAN/WiFi adjacency risk. Deploy endpoint detection rules for abnormal process terminations and maintain updated antivirus signatures to detect potential exploitation attempts.

Source articles (3)

  • CVE-2026-5525: Stack-Based Buffer Overflow in Notepad++ File Drop Handler leads to — Securin · 2026-06-08
    A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 within the file drop handler component (PowerEditor/src/Notepad_plus.cpp, lines 4514-4526). The vulnerability is triggered…
  • T1499 · Endpoint Denial of Service — attack.mitre.org · 2026-06-08
    Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those servi…
  • CVE 2026 5525 — nvd.nist.gov · 2026-06-08
    A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trail…

Timeline

  • 2026-04-10 — CVE-2026-5525 published: A stack-based buffer overflow vulnerability in Notepad++ was disclosed, affecting version 8.9.3.
  • 2026-06-08 — Vulnerability details reported: The vulnerability can be triggered by dragging a specific directory path, leading to application crash.
  • 2026-06-08 — Remediation released: Notepad++ developers released a fix that adds proper bounds checking to prevent the overflow.

CVEs

  • CVE-2026-5525

Related entities

  • OnionDuke (Apt Group)
  • Sandworm Team (Apt Group)
  • DDoS (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Georgian Government (Company)
  • CWE-120 - Classic Buffer Overflow (Cwe)
  • Government (Industry)
  • ZxShell (Malware)
  • T1499 - Endpoint Denial of Service (Mitre Attack)
  • Httpd (Platform)
  • Nginx (Tool)
  • Sshd (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed