Notepad++ malformed structure local denial of service
CVE-2026-48770 is a local denial-of-service vulnerability in Notepad++ affecting versions up to and including 8.9.6. The flaw is described as a crash condition triggered by malformed structures or malformed internal messages. Available reporting indicates the issue stems from improper handling of malformed internal messages and insufficient bounds checking on incoming data strings, allowing a separate local process to reliably crash the editor. Public reporting also references malformed XML structures as a trigger condition. The issue was fixed in Notepad++ 8.9.6.1.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small standalone PoC collection for three local vulnerabilities affecting Notepad++ <= 8.9.6 on Windows. It contains 7 files total: a README, two XML payload samples, one PowerShell crash PoC, and three Python PoCs. The code is not part of a larger exploit framework. Repository structure and purpose: - README.md documents the three CVEs, prerequisites, trigger conditions, and usage examples. - poc_CVE-2026-48770.py and payloads/poc_CVE-2026-48770.ps1 implement the same local crash technique in Python and PowerShell. - poc_CVE-2026-48778.py generates or restores a malicious config.xml for command execution. - poc_CVE-2026-48800.py generates or restores a malicious shortcuts.xml for command execution. - payloads/config.xml and payloads/shortcuts.xml are ready-made drop-in XML payloads. Main exploit capabilities: 1. CVE-2026-48770: local denial-of-service/crash. The PoC locates the Notepad++ window and sends a crafted WM_COPYDATA message with dwData=3 and a non-NUL-terminated 8192-byte buffer, aiming to trigger an out-of-bounds read and crash the process. 2. CVE-2026-48778: local code execution via configuration injection. The script writes a malicious %APPDATA%\Notepad++\config.xml or a temporary config.xml for use with -settingsDir. It sets GUIConfig name="commandLineInterpreter" to an attacker-chosen executable. When the user selects File -> Open Containing Folder -> cmd, Notepad++ launches that executable. 3. CVE-2026-48800: local code execution via shortcuts injection. The script writes a malicious %APPDATA%\Notepad++\shortcuts.xml or a temporary shortcuts.xml for use with -settingsDir. It adds a UserDefinedCommands entry whose text is an attacker-chosen executable. After restart, the victim can trigger execution from the Run menu. Operational characteristics: - The RCE PoCs support direct overwrite and restore workflows, including automatic backup creation (.bak). - Both RCE PoCs also support a settingsdir mode that avoids modifying the real AppData directory by preparing a temporary settings directory and printing a launch command for notepad++.exe -settingsDir=<tmpdir>. - Payloads are basic and customizable through command-line arguments, making the repository more than a pure detection script but still a straightforward PoC/operational local exploit set. No external network infrastructure, C2, or remote endpoints are used. The exploit surface is entirely local: Windows messaging and local Notepad++ configuration files.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A local denial of service vulnerability in Notepad++ caused by improper handling of malformed internal messages and insufficient bounds checking on incoming data strings, allowing a local process to reliably crash the editor.
A Notepad++ denial-of-service crash vulnerability triggered by malformed structures.
A high-severity vulnerability in Notepad++ that can cause a crash via a malformed XML structure.
A vulnerability in Notepad++ that can cause a crash when processing malformed structures.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.