Notepad++ patches CVE-2026-3008 bug

Why it matters

Text editors read plain files, but they also read configuration files that tell them how menus, labels and search results should look. When those files are handled unsafely, even a basic editor can be crashed by text that should have stayed harmless. (notepad-plus-plus.org) (csa.gov.sg) That is what Notepad++ patched in version 8.9.4, released April 26. The update fixes CVE-2026-3008, which affected version 8.9.3 and could let an attacker crash the app or reveal memory address information. (notepad-plus-plus.org) (csa.gov.sg) The vulnerable path was in Find in Files, the feature that searches across many documents at once. Notepad++ said crashes occurred when nativeLang.xml’s “find-result-hits” field contained “%s,” tying the fix directly to how localized text was parsed and displayed. (notepad-plus-plus.org) Singapore’s Cyber Security Agency said the flaw was a string injection bug. In plain terms, the program treated attacker-controlled text like formatting instructions instead of ordinary words. (csa.gov.sg) That kind of bug does not automatically hand over a machine, but it can still disclose memory layout details that help attackers map a process. It can also force repeated crashes, which is enough to disrupt users and signal that a program is mishandling input. (csa.gov.sg) (gist.github.com) The official release notes say 8.9.4 fixed three crash issues, not just the CVE-tracked one. The same release also patched a drop-file crash at a 259-character path length and another crash tied to undoing bad column-editor input in virtual space. (notepad-plus-plus.org) The timing matters because Notepad++ has already spent part of 2026 answering user questions about update trust. On February 5, the project said Notepad++ itself was not hacked, but its WinGup auto-updater had been exploited through a compromise of a former service provider’s infrastructure. (notepad-plus-plus.org) That earlier clarification was about supply-chain exposure, while CVE-2026-3008 is a software bug inside the editor. They are different problems, but both push users toward the same practical step: move off 8.9.3 and onto the current release from the project’s official channel. (notepad-plus-plus.org) (csa.gov.sg) For administrators, this is a small desktop patch with a familiar lesson. A single malformed configuration string in a routine feature was enough to turn a text editor update into a security release. (notepad-plus-plus.org) (csa.gov.sg)

Key numbers

• Notepad++ released version 8.9.4 on April 26, fixing CVE-2026-3008, a flaw in 8.9.3 that could crash the editor or expose memory addresses.
• (notepad-plus-plus.org) (csa.gov.sg) That is what Notepad++ patched in version 8.9.4, released April 26.
• The update fixes CVE-2026-3008, which affected version 8.9.3 and could let an attacker crash the app or reveal memory address information.
• (csa.gov.sg) (gist.github.com) The official release notes say 8.9.4 fixed three crash issues, not just the CVE-tracked one.

What happens next

• The update fixes CVE-2026-3008, which affected version 8.9.3 and could let an attacker crash the app or reveal memory address information.
• (notepad-plus-plus.org) (csa.gov.sg) - Notepad++ released version 8.9.4 on April 26, fixing CVE-2026-3008, a flaw in 8.9.3 that could crash the editor or expose memory addresses.
• The bug sat in Find in Files: a crafted nativeLang.xml value containing “%s” could trigger the vulnerable code path in search results.

Sources

• notepad-plus-plus.org
• notepad-plus-plus.org
• csa.gov.sg
• gist.github.com

Quick answers