Introduction
Notepad++ is a widely used, free, and open-source text editor for Microsoft Windows, known for its support for multiple programming languages, syntax highlighting, and plugin ecosystem. Developed by Don Ho, it has garnered millions of users since its inception in 2003. However, as with any software, Notepad++ has faced security vulnerabilities over the years, ranging from buffer overflows and DLL hijacking to privilege escalations. These issues can potentially lead to arbitrary code execution, denial of service (DoS), or unauthorized privilege gains.
This document provides an overview of key known vulnerabilities, primarily drawn from Common Vulnerabilities and Exposures (CVE) entries. It includes details on affected versions, severity scores (using CVSS v3.1 where available), descriptions, and mitigation recommendations. The list is not exhaustive but covers significant incidents up to December 2025. Users are encouraged to keep Notepad++ updated via the official website (notepad-plus-plus.org) and verify downloads with GPG signatures when possible.
Vulnerabilities are listed chronologically by publication date for clarity.
Key Vulnerabilities
CVE-2017-8803 (Published: April 20, 2025; CVSS: 7.8 High)
• Affected Versions: Notepad++ 7.3.3 (32-bit) with Hex Editor Plugin v0.9.5
• Description: A “Data from Faulting Address controls Code Flow” issue allows user-assisted remote code execution (RCE) via a crafted file. An attacker could exploit this by tricking a user into opening a malicious file obtained from a remote source, combined with specific user-defined commands.
• Impact: Potential RCE in the context of the user, leading to data theft or malware installation.
• Mitigation: Update to a version beyond 7.3.3 and avoid untrusted Hex Editor plugins. This older issue highlights risks from third-party plugins.
CVE-2019-16294 (Published: November 21, 2024; CVSS: 7.8 High)
• Affected Versions: Notepad++ (x64) before 7.7
• Description: SciLexer.dll in Scintilla (a component used for syntax highlighting) allows RCE or DoS via Unicode characters in a crafted .ml file.
• Impact: Opening a malicious file could crash the application or execute arbitrary code.
• Mitigation: Upgrade to Notepad++ 7.7 or later, which patches the Scintilla component.
CVE-2022-31901 (Published: April 4, 2025; CVSS: 6.5 Medium)
• Affected Versions: Notepad++ v8.4.3 and earlier
• Description: Buffer overflow in the Notepad_plus::addHotSpot function, triggered by two crafted files.
• Impact: Application crash (DoS); potential for RCE if exploited further.
• Mitigation: Update to v8.4.4 or newer.
CVE-2022-31902 (Published: March 27, 2025; CVSS: 5.5 Medium)
• Affected Versions: Notepad++ v8.4.1
• Description: Stack overflow in the Finder::add() component.
• Impact: Local DoS via crafted input; limited exploitability.
• Mitigation: Patch to a subsequent version.
CVE-2022-32168 (Published: May 21, 2025; CVSS: 7.8 High)
• Affected Versions: Notepad++ versions 8.4.1 and earlier
• Description: DLL hijacking vulnerability where an attacker replaces UxTheme.dll with a malicious version, allowing arbitrary code execution in Notepad++’s context.
• Impact: RCE upon launching Notepad++, potentially for persistence or data exfiltration.
• Mitigation: Install in a protected directory (e.g., Program Files) and update to v8.4.2+.
CVE-2023-40031 (Published: November 21, 2024; CVSS: 7.8 High)
• Affected Versions: Versions 8.5.6 and prior
• Description: Heap buffer write overflow in Utf8_16_Read::convert, exploitable via crafted input.
• Impact: Arbitrary code execution, high risk for file-processing workflows.
• Mitigation: Upgrade to v8.5.7 or later; avoid opening untrusted files.
CVE-2023-40036 (Published: November 21, 2024; CVSS: 5.5 Medium)
• Affected Versions: Versions 8.5.6 and prior
• Description: Global buffer read overflow in CharDistributionAnalysis::HandleOneChar.
• Impact: Potential memory leak of internal data; low exploitability for RCE.
• Mitigation: Update as above; monitor for patches in encoding-related components.
CVE-2023-40164 (Published: November 21, 2024; CVSS: 5.5 Medium)
• Affected Versions: Versions 8.5.6 and prior
• Description: Global buffer read overflow in nsCodingStateMachine::NextStater.
• Impact: Similar to CVE-2023-40036; possible information disclosure.
• Mitigation: Same as above.
CVE-2023-40166 (Published: November 21, 2024; CVSS: 5.5 Medium)
• Affected Versions: Versions 8.5.6 and prior
• Description: Heap buffer read overflow in FileManager::detectLanguageFromTextBegining.
• Impact: Memory leak potential; affects language detection features.
• Mitigation: Update promptly.
CVE-2023-47452 (Published: November 21, 2024; CVSS: 7.8 High)
• Affected Versions: Notepad++ 6.5
• Description: Untrusted search path vulnerability allowing privilege escalation via msimg32.dll in the working directory.
• Impact: Local privilege escalation for attackers with directory write access.
• Mitigation: This affects an outdated version; upgrade to the latest release.
CVE-2023-6401 (Published: November 21, 2024; CVSS: 5.3 Medium)
• Affected Versions: Up to 8.1
• Description: Uncontrolled search path in dbghelp.exe.
• Impact: Local exploitation leading to unintended code execution.
• Mitigation: Update beyond 8.1; run from secure paths.
CVE-2025-49144 (Published: June 23, 2025; CVSS: 7.3 High)
• Affected Versions: 8.8.1 and prior
• Description: Privilege escalation in the installer due to insecure executable search paths (CWE-427, CWE-272, CWE-276). Attackers can use social engineering to place malicious executables in the Downloads folder, gaining SYSTEM privileges upon installation.
• Impact: Full system compromise; high severity for new installations.
• Mitigation: Fixed in v8.8.2. Download only from official sources and verify signatures. Organizations should enforce installer policies.
CVE-2025-56383 (Published: September 26, 2025; CVSS: Not fully assessed; Disputed)
• Affected Versions: v8.8.3 (potentially up to 8.8.5)
• Description: DLL hijacking allowing replacement of plugin DLLs for malicious code execution. Disputed by Notepad++ developers and others, as it requires installation in a writable directory by unprivileged users (CWE-427).
• Impact: Potential RCE on launch if exploited; low feasibility in default setups.
• Mitigation: Install in read-only directories like Program Files. Notepad++ v8.8.6 clarifies it as a non-issue but recommends secure practices. A proof-of-concept exists, emphasizing user caution.
Trends and Analysis
• Common Themes: DLL hijacking and untrusted search paths appear frequently (e.g., CVE-2022-32168, CVE-2025-56383), often due to Windows-specific behaviors. Buffer overflows (e.g., CVE-2022-31901) are tied to file parsing and encoding functions. Plugin-related issues (e.g., CVE-2017-8803) underscore risks from extensions.
• Severity Distribution: Most CVEs rate Medium to High (5.3–7.8), with exploitation typically requiring local access or user interaction.
• Timeline: Vulnerabilities spiked in disclosures around 2024–2025, possibly due to increased scrutiny. Older versions (pre-7.7) remain risky if unpatched.
• Attack Vectors: Primarily local (AV:L) with user interaction (UI:R), but RCE potential makes them dangerous in shared or remote-file environments.
Recommendations
1. Update Regularly: Always use the latest version (as of December 2025, v8.8.6 or higher). Enable auto-updates if available.
2. Secure Installation: Install in protected directories; avoid running from writable locations like Downloads.
3. Plugin Caution: Vet and update plugins; disable unnecessary ones.
4. File Handling: Scan files before opening, especially from untrusted sources.
5. Monitoring: Use tools like Windows Defender or third-party scanners for DLL integrity.
6. Enterprise Advice: Deploy via managed installers (e.g., MSI) and restrict user privileges.
For the most current information, consult the National Vulnerability Database (NVD) or Notepad++ release notes. If you encounter a potential new issue, report it via the official GitHub repository.
References
• National Vulnerability Database (NVD) entries for individual CVEs.
• OpenCVE vulnerability database.
• Notepad++ Community Forum discussions on recent issues.
Document Last Updated: December 7, 2025