CVE-2026-5525 – Notepad++ Stack-Based Buffer Overflow (DoS) Zero-day Vulnerability

A stack-based buffer overflow zero-day vulnerability has been identified in Notepad++ v8.9.3, specifically within the file drop handler component. The following are the vulnerability details:

CVE ID: CVE-2026-5525
Affected Version: Notepad++ 8.9.3
Component: File Drop Handler (Notepad_plus.cpp, lines 4514–4526)
Type: Stack-Based Buffer Overflow

The issue occurs when a user drags and drops a directory path of exactly 259 characters (MAX_PATH - 1) without a trailing backslash into the Notepad++ window.

During processing, the application attempts to append:

A backslash (\)
A null terminator

However, due to insufficient bounds checking, this results in writing beyond the allocated buffer (wchar_t pathDropped[MAX_PATH]), causing a stack buffer overflow.

Impact - Denial of Service (DoS):

The overflow triggers a STATUS_STACK_BUFFER_OVERRUN (0xC0000409) error, leading to:
- Immediate application crash
- Potential loss of unsaved work

As of now, no official patch has been released, so users are advised to take precautionary measures:

Avoid dragging and dropping long or untrusted directory paths into Notepad++
Open files using File → Open instead of drag-and-drop when possible
Ensure frequent saving of work to prevent data loss from unexpected crashes
Limit exposure by avoiding use of affected versions in critical environments
Monitor vendor releases and update immediately once a patch is available

Cheers,

ManageEngine Team

Topic Participants
Hareesh Balaji NS

CVE-2026-5525 – Notepad++ Stack-Based Buffer Overflow (DoS) Zero-day Vulnerability

CVE-2026-5525 – Notepad++ Stack-Based Buffer Overflow (DoS) Zero-day Vulnerability

Impact - Denial of Service (DoS):

Topic Participants

Hareesh Balaji NS