CVE-2026-48770 PUBLISHED

Notepad++ WM_COPYDATA COPYDATA_FULL_CMDLINE local DoS crash

Assigner: GitHub_M
Reserved: 22.05.2026 Published: 26.06.2026 Updated: 26.06.2026

Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* instead of enforcing COPYDATASTRUCT.cbData. This vulnerability is fixed in 8.9.6.1.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
CVSS Score: 5

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	None
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	notepad-plus-plus
Product	notepad-plus-plus
Versions	Version < 8.9.6.1 is affected

References

https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories/GHSA-r39g-3mcw-xcg2
https://github.com/notepad-plus-plus/notepad-plus-plus/commit/f20a0888a92ce557a339b833cd9d9d8e97dc797d

Problem Types

CWE-125: Out-of-bounds Read CWE