CVEs in Notepad++ V8.5.6 and Prior

Murray Sobol 1

The following CVEs have been reported in Notepad++ V8.5.6 and Prior
CVE-2023-40166
Versions 8.5.6 and prior are vulnerable to heap buffer read overflow in FileManager::detectLanguageFromTextBegining . The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information.
CVE-2023-40164
Versions 8.5.6 and prior are vulnerable to global buffer read overflow in nsCodingStateMachine::NextStater. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information.
CVE-2023-40036
Versions 8.5.6 and prior are vulnerable to global buffer read overflow in CharDistributionAnalysis::HandleOneChar. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information.
CVE-2023-40031
Versions 8.5.6 and prior are vulnerable to heap buffer write overflow in Utf8_16_Read::convert. This issue may lead to arbitrary code execution.

For all of the above CVEs, As of time of publication, no known patches are available in existing versions of Notepad++.

I sincerely hope that these issues are being addressed and will be resolved in a not to distant version of Notepad++.

PeterJones

@Murray-Sobol-1 said in CVEs in Notepad++ V8.5.6 and Prior:

The following CVEs have been reported in Notepad++ V8.5.6 and Prior

Already addressed:
https://community.notepad-plus-plus.org/topic/24889/notepad-v8-5-7-release-candidate

For all of the above CVEs, As of time of publication, no known patches are available in existing versions of Notepad++.

Notepad++ does not do “patch” releases. It just releases new versions. And the new version implementing the fixes is available in release-candidate, and will be switched to full release soon,