Notepad++ Flaw: Attackers Crash App, Leak Vulnerability Allows

Notepad++, one of the most widely used open-source text editors among developers and IT professionals, has a newly identified security vulnerability.

The vulnerability CVE-2026-3008, which could allow a remote attacker to crash the application or extract sensitive memory address information from affected systems.

The vulnerability is a string injection flaw located within the FindInFiles functionality of Notepad++. Specifically, the issue arises when the nativeLang.xml configuration file’s "find-result-hits" field contains a "%s" format specifier, triggering unexpected behavior during search operations.

This type of vulnerability can lead to improper memory handling, enabling threat actors to either cause a denial-of-service (DoS) condition by crashing the application or gather memory address information that could be leveraged in further exploitation attempts.

The second one, CVE-2026-6539, has also been linked to the same patch, suggesting additional related security concerns were addressed alongside the primary vulnerability.

Successful exploitation could disrupt workflows for developers, system administrators, and security analysts who rely on Notepad++ for day-to-day operations.

Memory disclosure vulnerabilities, while sometimes considered low-severity in isolation, are often chained with other exploits to bypass security mitigations such as Address Space Layout Randomization (ASLR).

Affected Version

The vulnerability specifically affects:

• Notepad++ version 8.9.3

Users running earlier versions should assume they are equally at risk and apply the available patch without delay.

Patch Released

The Notepad++ Product Owner Mr Hazley Samsudin, has responded promptly by releasing version 8.9.4, which directly addresses both CVE-2026-3008 and CVE-2026-6539.

The fix resolves the crash behavior in the FindInFiles feature when format strings are improperly parsed from the nativeLang.xml file. The patch details are publicly documented on the official Notepad++ GitHub repository under issue #17960.

Mitigations

CSA strongly advises all users and administrators running the affected version to take the following action immediately:

• Update to Notepad++ version 8.9.4 via the official Notepad++ website or the built-in update mechanism
• Verify the integrity of the downloaded installer using official checksums
• Monitor systems for any unusual application behavior that may indicate prior exploitation attempts

Given the widespread deployment of Notepad++ across enterprise environments and developer workstations, organizations should prioritize this update within their standard patch management cycles.

Users who rely on custom nativeLang.xml configurations are particularly urged to apply the fix without delay.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.