“The latest release, Notepad++ version 8.5.7, includes security updates to address several buffer overflow vulnerabilities identified in the previous version.”
Notepad++ is a widely-used, free source code editor with support for numerous programming languages. It can be extended through plugins and boasts productivity-enhancing features like multi-tabbed editing and syntax highlighting.
GitHub’s security analyst, Jaroslav Lobachevski, uncovered the zero-day vulnerabilities in Notepad++ version 8.5.2 and promptly reported them last month to facilitate the release of an update for their resolution.
Proof of concept exploits has also been published for these flaws in the researcher’s public advisory, making it crucial for users to update to the latest version as soon as possible.
The identified vulnerabilities encompass ‘heap buffer write and read overflows’ found in multiple functions and libraries utilized by Notepad++.
- CVE-2023-40031: Buffer overflow in Utf8_16_Read::convert function.
- CVE-2023-40036: Global buffer read overflow in CharDistributionAnalysis::HandleOneChar.
- CVE-2023-40164: Global buffer read overflow in nsCodingStateMachine::NextState.
- CVE-2023-40166: Heap buffer read overflow at FileManager::detectLanguageFromTextBeginning.”
Among the four vulnerabilities, CVE-2023-40031 is the most critical, earning a severity rating of 7.8 on the CVSS v3 vulnerability scale and has the potential to result in code execution.
However, one user disputes that it would be possible to execute code due to its nature error.
The other three issues are problems of moderate severity (5,5) that Lobačevski says can be leveraged to information leak internal memory.
Of note, Lobačevski disclosed the presence of zero-day vulnerabilities and published Proof of Concept exploits on August 21, 2023.
However, immediate responsiveness from Notepad++ developers was lacking. It wasn’t until August 30, 2023, that a public issue was raised to highlight the problem, and corrective measures were incorporated into the code branch on September 3, 2023. Consequently, Notepad++ 8.5.7 has been released.
The vulnerabilities in Notepad++ pose a significant security risk to users’ systems. It is imperative that all Notepad++ users promptly update their software to the latest version, 8.5.7, which addresses these and other security flaws.