DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-3008: CVE-2026-3008: Format String Injection in Notepad++ Localization Parser

#security #cve #cybersecurity

CVE-2026-3008: Format String Injection in Notepad++ Localization Parser

Vulnerability ID: CVE-2026-3008
CVSS Score: 6.6
Published: 2026-04-27

Notepad++ version 8.9.3 contains a format string injection vulnerability within its localization configuration parser. The application passes an unvalidated string from the nativeLang.xml file directly to the wsprintfW Windows API function. This flaw allows an attacker to cause an application crash or leak memory addresses by supplying a maliciously crafted language file.

TL;DR

A format string injection flaw (CWE-134) in the Notepad++ Find Results panel allows local attackers to trigger Denial of Service or Information Disclosure via a modified nativeLang.xml file.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-134
  • Attack Vector: Local / Social Engineering
  • CVSS v3.1 Score: 6.6 (Medium)
  • EPSS Score: 0.00012 (~1.72%)
  • Primary Impact: Denial of Service / Info Disclosure
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Notepad++ 8.9.3 (Installer and Portable versions)
  • Windows OS (x86/x64/ARM64) running affected Notepad++ binaries
  • Notepad++: 8.9.3 (Fixed in: 8.9.4)

Exploit Details

  • GitHub: Proof of Concept exploit payload repository.
  • Technical Analysis: Detailed vulnerability write-up and exploitation guide.

Mitigation Strategies

  • Upgrade Notepad++ to version 8.9.4 or higher.
  • Implement File Integrity Monitoring (FIM) on the %APPDATA%\Notepad++\ directory to detect unauthorized changes to nativeLang.xml.
  • Restrict user permissions to modify application configuration files in centralized deployments.
  • Audit community language packs before deployment.

Remediation Steps:

  1. Identify all systems running Notepad++ version 8.9.3 or earlier.
  2. Deploy the Notepad++ 8.9.4 installer or updated portable binaries.
  3. Verify the executable version post-deployment.
  4. Optionally scan existing nativeLang.xml files for anomalous % format specifiers.

References

Read the full report for CVE-2026-3008 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)