CVEs in Notepad++ V8.5.6 and Prior
-
The following CVEs have been reported in Notepad++ V8.5.6 and Prior
CVE-2023-40166
Versions 8.5.6 and prior are vulnerable to heap buffer read overflow inFileManager::detectLanguageFromTextBegining. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information.
CVE-2023-40164
Versions 8.5.6 and prior are vulnerable to global buffer read overflow innsCodingStateMachine::NextStater. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information.
CVE-2023-40036
Versions 8.5.6 and prior are vulnerable to global buffer read overflow inCharDistributionAnalysis::HandleOneChar. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information.
CVE-2023-40031
Versions 8.5.6 and prior are vulnerable to heap buffer write overflow inUtf8_16_Read::convert. This issue may lead to arbitrary code execution.For all of the above CVEs, As of time of publication, no known patches are available in existing versions of Notepad++.
I sincerely hope that these issues are being addressed and will be resolved in a not to distant version of Notepad++.
-
@Murray-Sobol-1 said in CVEs in Notepad++ V8.5.6 and Prior:
The following CVEs have been reported in Notepad++ V8.5.6 and Prior
Already addressed:
https://community.notepad-plus-plus.org/topic/24889/notepad-v8-5-7-release-candidateFor all of the above CVEs, As of time of publication, no known patches are available in existing versions of Notepad++.
Notepad++ does not do “patch” releases. It just releases new versions. And the new version implementing the fixes is available in release-candidate, and will be switched to full release soon,
