PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-38972 Rizonesoft CVE debrief

CVE-2026-38972 is a high-severity vulnerability in Notepad3, a text editor software. The vulnerability allows a local attacker to execute arbitrary code by hijacking the DLL search order in the About-dialog code path. The affected product is Notepad3 version 6.25.822.1 or earlier. The vulnerability has a high CVSS score of 7.8 and is classified as HIGH severity. Users of Notepad3 should apply the patch to prevent exploitation.

Vendor
Rizonesoft
Product
Notepad3
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-08
Advisory published
2026-07-02
Advisory updated
2026-07-08

Who should care

Users of Notepad3 version 6.25.822.1 or earlier should apply the patch to prevent exploitation. System administrators and security teams responsible for managing and securing Notepad3 installations should prioritize patching. Additionally, developers and security researchers interested in vulnerability analysis and mitigation should review the CVE record and NVD entry for further information.

Technical summary

The vulnerability exists in the About-dialog code path in src/Notepad3.c, where the application calls LoadLibrary(L'MSFTEDIT.DLL') with a bare DLL name. This allows a local attacker to place a malicious MSFTEDIT.DLL in the application directory or another preferred DLL search location and achieve arbitrary code execution in the context of the user when the About dialog is opened. The vulnerability is caused by the insecure DLL loading mechanism.

Defensive priority

High

Recommended defensive actions

  • Apply the patch provided by the vendor
  • Use secure coding practices to prevent similar vulnerabilities
  • Monitor system logs for suspicious activity
  • Restrict access to sensitive areas of the system
  • Keep software up-to-date
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-02T21:16:56.353Z and last modified on 2026-07-08T18:49:50.400Z. The NVD entry is currently Analyzed. The vulnerability was discovered in Notepad3, a text editor software. The evidence provided is limited, and further verification is required to confirm the affected scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T21:16:56.353Z and has not been modified since then. The NVD entry is currently Analyzed.