Notepad++ patches CVE-2026-3008 bug
- Notepad++ released version 8.9.4 on April 26, fixing CVE-2026-3008, a flaw in 8.9.3 that could crash the editor or expose memory addresses. - The bug sat in Find in Files: a crafted nativeLang.xml value containing “%s” could trigger the vulnerable code path in search results. - The patch lands weeks after broader supply-chain scrutiny around Notepad++ updates, keeping focus on trusted upgrade paths. (notepad-plus-plus.org)
Text editors read plain files, but they also read configuration files that tell them how menus, labels and search results should look. When those files are handled unsafely, even a basic editor can be crashed by text that should have stayed harmless. (notepad-plus-plus.org) (csa.gov.sg) That is what Notepad++ patched in version 8.9.4, released April 26. The update fixes CVE-2026-3008, which affected version 8.9.3 and could let an attacker crash the app or reveal memory address information. (notepad-plus-plus.org) (csa.gov.sg) The vulnerable path was in Find in Files, the feature that searches across many documents at once. Notepad++ said crashes occurred when nativeLang.xml’s “find-result-hits” field contained “%s,” tying the fix directly to how localized text was parsed and displayed. (notepad-plus-plus.org) Singapore’s Cyber Security Agency said the flaw was a string injection bug. In plain terms, the program treated attacker-controlled text like formatting instructions instead of ordinary words. (csa.gov.sg) That kind of bug does not automatically hand over a machine, but it can still disclose memory layout details that help attackers map a process. It can also force repeated crashes, which is enough to disrupt users and signal that a program is mishandling input. (csa.gov.sg) (gist.github.com) The official release notes say 8.9.4 fixed three crash issues, not just the CVE-tracked one. The same release also patched a drop-file crash at a 259-character path length and another crash tied to undoing bad column-editor input in virtual space. (notepad-plus-plus.org) The timing matters because Notepad++ has already spent part of 2026 answering user questions about update trust. On February 5, the project said Notepad++ itself was not hacked, but its WinGup auto-updater had been exploited through a compromise of a former service provider’s infrastructure. (notepad-plus-plus.org) That earlier clarification was about supply-chain exposure, while CVE-2026-3008 is a software bug inside the editor. They are different problems, but both push users toward the same practical step: move off 8.9.3 and onto the current release from the project’s official channel. (notepad-plus-plus.org) (csa.gov.sg) For administrators, this is a small desktop patch with a familiar lesson. A single malformed configuration string in a routine feature was enough to turn a text editor update into a security release. (notepad-plus-plus.org) (csa.gov.sg)
