What this actually is.
Technical background, root cause, and affected surface.
A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 within the file drop handler component (PowerEditor/src/Notepad_plus.cpp, lines 4514-4526). The vulnerability is triggered when a user drags and drops a directory path of exactly 259 characters (MAX_PATH - 1) without a trailing backslash onto the Notepad++ application window.
When processing the dropped path, the application attempts to append a backslash and a null terminator to the buffer without performing adequate bounds checking. Since the buffer is declared as wchar_t pathDropped[MAX_PATH] (260 elements, indices 0-259), and the path already occupies 259 characters, the null terminator write at index 260 overflows the stack-allocated buffer, resulting in a STATUS_STACK_BUFFER_OVERRUN (0xC0000409) error.
- Vendor
- Notepad++ Project
- Affected Product
- Notepad++ v8.9.3
- CVE
- CVE-2026-5525
- Securin ID
- -
- Status
- Fixed (v8.9.4+)
- Date
- March 31, 2026
- Severity
- Medium
- CVSS Score
- 6
- Vector
- CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
- CWE
- CWE-121
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
The following code in Notepad_plus.cpp demonstrates the vulnerable pattern:
wchar_t pathDropped[MAX_PATH]; // 260 elements, indices 0-259
DragQueryFile(hdrop, i, pathDropped, MAX_PATH);
// ...
if (::PathIsDirectory(pathDropped))
{
size_t len = lstrlen(pathDropped);
if (pathDropped[len - 1] != '\\')
{
pathDropped[len] = '\\'; // Valid write at index 259
pathDropped[len + 1] = '\0'; // OVERFLOW at index 260!
}
}When does this fire?
All conditions must be true for the exploit to succeed.
Notepad++ version 8.9.3 running on Windows (x86 or x64)
A directory path exactly 259 characters long
The directory path does not end with a trailing backslash
The user drags the directory onto the Notepad++ application window
Windows long paths must be enabled (a non-default configuration)
Initial Access
User Execution
Execution
Exploitation for Client Execution
Impact
Endpoint Denial of Service
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Successful exploitation of this vulnerability results in the following:
Denial of Service (DoS): Reliable application crash triggered by the stack buffer overrun, causing immediate termination of Notepad++ and potential loss of unsaved work.
C:H · I:H · A:N
CWE-121
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Update Notepad++ to the latest version which includes the fix.
The vulnerability was remediated by adding proper bounds validation before appending characters to the buffer. The fix ensures the buffer length is checked against MAX_PATH before the write operation.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
Vulnerability reported
Fix submitted by @xomx via Pull Request #17930
Pull request reviewed and approved by @donho (project maintainer)
Fix merged into main branch (commit bfe7514)
GitHub Issue #17921 closed as completed
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.