PatchSiren cyber security CVE debrief
CVE-2026-5525 Notepad++ Project CVE debrief
A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checking, resulting in a stack buffer overflow and application crash (STATUS_STACK_BUFFER_OVERRUN).
- Vendor
- Notepad++ Project
- Product
- Notepad++
- CVSS
- MEDIUM 6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-10
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-04-10
- Advisory updated
- 2026-06-05
Who should care
Users of Notepad++ version 8.9.3
Technical summary
The vulnerability is caused by improper bounds checking in the file drop handler component of Notepad++ version 8.9.3. An attacker can exploit this vulnerability by dragging and dropping a directory path of exactly 259 characters without a trailing backslash, causing a stack buffer overflow and application crash.
Defensive priority
Medium
Recommended defensive actions
- Update to a patched version of Notepad++
- Avoid dragging and dropping directory paths of exactly 259 characters without a trailing backslash
Evidence notes
CVE-2026-5525 has a CVSS score of 6 and a severity of MEDIUM. The vulnerability was published on 2026-04-10T08:16:26.067Z and modified on 2026-06-05T13:54:59.610Z.
Official resources
-
CVE-2026-5525 CVE record
CVE.org
-
CVE-2026-5525 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
33c584b5-0579-4c06-b2a0-8d8329fcab9c - Patch
-
Mitigation or vendor reference
33c584b5-0579-4c06-b2a0-8d8329fcab9c - Issue Tracking, Exploit, Mitigation, Vendor Advisory
-
Mitigation or vendor reference
33c584b5-0579-4c06-b2a0-8d8329fcab9c - Issue Tracking, Patch
This CVE debrief was generated using PatchSiren's CVE debrief tool.