CVE-2026-5525 – Notepad++ Stack-Based Buffer Overflow (DoS) Zero-day Vulnerability
A stack-based buffer overflow zero-day vulnerability has been identified in Notepad++ v8.9.3, specifically within the file drop handler component. The following are the vulnerability details:
- CVE ID: CVE-2026-5525
- Affected Version: Notepad++ 8.9.3
-
Component: File Drop Handler (
Notepad_plus.cpp, lines 4514–4526) - Type: Stack-Based Buffer Overflow
The issue occurs when a user drags and drops a directory path of exactly 259 characters (MAX_PATH - 1) without a trailing backslash into the Notepad++ window.
During processing, the application attempts to append:
-
A backslash (
\) - A null terminator
However, due to insufficient bounds checking, this results in writing beyond the allocated buffer (wchar_t pathDropped[MAX_PATH]), causing a stack buffer overflow.
Impact - Denial of Service (DoS):
- The overflow triggers a
STATUS_STACK_BUFFER_OVERRUN (0xC0000409)error, leading to:- Immediate application crash
-
Potential loss of unsaved work
As of now, no official patch has been released, so users are advised to take precautionary measures:
- Avoid dragging and dropping long or untrusted directory paths into Notepad++
- Open files using File → Open instead of drag-and-drop when possible
- Ensure frequent saving of work to prevent data loss from unexpected crashes
- Limit exposure by avoiding use of affected versions in critical environments
- Monitor vendor releases and update immediately once a patch is available
Cheers,
ManageEngine Team