Back

Critical Vulnerability in Notepad++ Allows DoS and Memory Disclosure

Severity: High (Score: 75.2)

Sources: Gbhackers, Cybersecuritynews, llgsjsm.github.io, Csa.Sg, github.com

Summary

A format string injection vulnerability, tracked as CVE-2026-3008, has been identified in Notepad++ version 8.9.3. This flaw enables attackers to crash the application or leak sensitive memory information through a malicious language pack. The vulnerability affects users of Notepad++ who load the compromised nativeLang.xml file, leading to a denial of service (DoS) and potential information disclosure. The Cybersecurity Agency of Singapore (CSA) has issued an urgent advisory for users to upgrade to version 8.9.4 to mitigate the risk. The vulnerability was publicly disclosed on April 27, 2026, with a proof of concept available since April 20, 2026. Users are strongly advised to update their software immediately to avoid exploitation. The attack vector relies on the improper handling of format strings in the application, which can lead to crashes and memory leaks. Key Points: • CVE-2026-3008 allows attackers to crash Notepad++ or leak memory data. • Users must upgrade to Notepad++ version 8.9.4 to mitigate the vulnerability. • The vulnerability was disclosed on April 27, 2026, with a PoC available since April 20.

Key Entities

  • Data Breach (attack_type)
  • DDoS (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2026-3008 (cve)
  • Cwe-134 - Use Of Externally-Controlled Format String (cwe)
  • CWE-94 - Code Injection (cwe)
  • Format String Injection Vulnerability (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed