Stack-Based Buffer Overflow in Notepad++ Affects Users Dragging Directories
CVE-2026-5525

6MEDIUM

Key Information:

Vendor: Notepad++ Project
Status: Notepad++
Vendor: CVE Published:; 10 April 2026

🔔 Create Notepad++ Project Vulnerability Alert

What is CVE-2026-5525?

A stack-based buffer overflow vulnerability has been detected in Notepad++ version 8.9.3, which occurs during the processing of dragged and dropped directory paths. When a directory path exactly 259 characters long is dropped, the application improperly appends a trailing backslash along with a null terminator without adequate bounds checking. This flaw can lead to a stack buffer overflow, causing the application to crash and potentially exposing user data to security risks.

Affected Version(s)

Notepad++ 8.9.3

Notepad++ 8.9.4

References

https://github.com/notepad-plus-plus/notepad-plus-plus/is...

https://github.com/notepad-plus-plus/notepad-plus-plus/pu...

https://github.com/notepad-plus-plus/notepad-plus-plus/co...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 4, 2026

CVE-2026-5525 Data

JSON