{"id":"CVE-2026-5525","details":"A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checking, resulting in a stack buffer overflow and application crash (STATUS_STACK_BUFFER_OVERRUN).","modified":"2026-07-15T06:01:34.574047Z","published":"2026-04-10T08:16:26.067Z","references":[{"type":"REPORT","url":"https://github.com/notepad-plus-plus/notepad-plus-plus/issues/17921"},{"type":"FIX","url":"https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bfe7514d68bc559534c046c4ef2d1865267aa2b0"},{"type":"FIX","url":"https://github.com/notepad-plus-plus/notepad-plus-plus/pull/17930"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/notepad-plus-plus/notepad-plus-plus","events":[{"introduced":"8452101a4b349c46b19af7d7010588d3b540294f"},{"last_affected":"8452101a4b349c46b19af7d7010588d3b540294f"},{"fixed":"bfe7514d68bc559534c046c4ef2d1865267aa2b0"}],"database_specific":{"cpe":"cpe:2.3:a:notepad-plus-plus:notepad\\+\\+:8.9.3:*:*:*:*:*:*:*","extracted_events":[{"introduced":"8.9.3"},{"last_affected":"8.9.3"}],"source":["CPE_STRING","REFERENCES"]}}],"versions":["8.9.3","v8.9.3"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"function_hash":"274537293417442963565851391350857528842","length":2177},"id":"CVE-2026-5525-b6858adc","signature_type":"Function","signature_version":"v1","source":"https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bfe7514d68bc559534c046c4ef2d1865267aa2b0","target":{"file":"PowerEditor/src/Notepad_plus.cpp","function":"Notepad_plus::dropFiles"}},{"signature_version":"v1","source":"https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bfe7514d68bc559534c046c4ef2d1865267aa2b0","target":{"file":"PowerEditor/src/Notepad_plus.cpp"},"deprecated":false,"digest":{"line_hashes":["240776726183043293650488723090393231810","150966677519643893186391815494024935869","102169165498368863336098939601171579453","119190468575794080451735000777831025381","217065910712636053216983043163399270158","74196033383380248552007860658280525648","59256975397398899465806751213851256213","215988884122346158000715297416341844635","219669542967510492310439883532899594716","218194078975693796232897595176672299615","43179866262453734100793098279160493350","43054607183458018308897410147192734900","328191782207663566314725076025680278993","263399592677710189769360717596485637544","58685865184504447942227427760846241237","15624468880297394779603583924797780188","258322762416285129397208301381844491420","38353199352286544720865443049996738591","62653206360933176307927814928915554559","22154985440830689042014248085440661124","169765956284603468754452218485756155687","59256975397398899465806751213851256213","24775847932160629605559848555778114507","215062965397654460303028230290752024544","177379957089563863973724276587509002063"],"threshold":0.9},"id":"CVE-2026-5525-b9e7c3f8","signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5525.json","vanir_signatures_modified":"2026-07-15T06:01:34Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}