Notepad++ Vulnerability Allows Attackers to Crash Application and Leak Memory Data

A newly discovered vulnerability in Notepad++ is raising security concerns among developers and IT professionals worldwide.

The flaw, tracked as CVE-2026-3008, affects Notepad++ version 8.9.3 and can allow attackers to crash the application or extract sensitive memory data.

The Cyber Security Agency of Singapore (CSA) has issued an urgent advisory, warning users to upgrade to version 8.9.4 immediately to prevent potential exploitation.

Technical Details of the Vulnerability

The issue stems from how Notepad++ processes its language configuration files, specifically the nativeLang.xml file.

During the use of the “Find in Files” or “Find ALL in Current Document” feature, the application fails to properly validate input within the find-result-hits parameter.

This leads to a format string injection vulnerability, a well-known programming flaw that can be exploited to manipulate application behavior.

If an attacker supplies a maliciously crafted nativeLang.xml file, they can inject format specifiers such as:

• %s, which causes the application to crash, resulting in a Denial of Service (DoS)
• %x or %08lx, which can expose sensitive memory contents, including CPU register values and stack data

This memory leakage can reveal critical information that attackers may use to bypass security protections like Address Space Layout Randomization (ASLR).

To exploit this flaw, an attacker must trick a victim into replacing their legitimate nativeLang.xml file with a malicious version.

This file is typically stored in the user’s AppData directory or within the root folder in portable installations.

Once the malicious file is in place, the exploit is triggered automatically when the victim performs a search operation within Notepad++. No further user interaction is required.

The vulnerability was responsibly disclosed by cybersecurity researcher Hazley Samsudin through Singapore’s National CERT.

Given Notepad++’s widespread use among developers, system administrators, and enterprises, this vulnerability poses a significant risk.

Memory disclosure issues are particularly dangerous as they can assist in further exploitation and privilege escalation attacks.

The Notepad++ development team has released version 8.9.4, which fixes the improper string handling issue.

Users and organizations are strongly advised to take immediate action:

• Update immediately to Notepad++ version 8.9.4
• Avoid downloading XML configuration files or plugins from untrusted sources
• Verify the integrity of existing configuration files
• Enterprises should prioritize patch deployment across all endpoints

Prompt patching and cautious handling of configuration files can effectively mitigate the risk and protect systems from potential exploitation.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Notepad++ Vulnerability Allows Attackers to Crash Application and Leak Memory Data appeared first on Cyber Security News.