Notepad++ version 8.5.7 has been released with fixes for multiple buffer overflow zero-days, with one marked as potentially leading to code execution by tricking users into opening specially crafted files.

Notepad++ is a popular free source code editor that supports many programming languages, can be extended via plugins, and offers productivity-enhancing features such as multi-tabbed editing and syntax highlighting.

GitHub’s security researcher Jaroslav Lobačevski reported the vulnerabilities in Notepad++ version 8.5.2 to the developers over the last couple of months. 

Proof of concept exploits have also been published for these flaws in the researcher’s public advisory, making it essential for users to update the program as soon as possible.

Security flaws in Notepad++

The discovered vulnerabilities involve heap buffer write and read overflows in various functions and libraries used by Notepad++.

Here’s a summary of the four flaws discovered by GitHub’s researcher:

• CVE-2023-40031: Buffer overflow in the Utf8_16_Read::convert function due to incorrect assumptions about UTF16 to UTF8 encoding conversions.
• CVE-2023-40036: Global buffer read overflow in CharDistributionAnalysis::HandleOneChar caused by an array index order based on the buffer size, exacerbated by using the uchardet library.
• CVE-2023-40164: Global buffer read overflow in nsCodingStateMachine::NextState. This is linked to a specific version of the uchardet library used by Notepad++, vulnerable due to its dependency on the size of the charLenTable buffer.
• CVE-2023-40166: Heap buffer read overflow occurs in FileManager::detectLanguageFromTextBegining due to failing to check buffer lengths during file language detection.

The most severe of these flaws is CVE-2023-40031, assigned a CVSS v3 rating of 7.8 (high), potentially leading to arbitrary code execution.

However, a user disputes that it would be possible to perform code execution using this flaw due to the type of error it is.

“While it is technically a “buffer overflow” is really only an off-by-two bug with practically zero chance to allow for arbitrary code execution,” reads a comment to a GitHub issue opened about the flaws.

The other three issues are medium-severity (5.5) problems that Lobačevski says might be leveraged to leak internal memory allocation information.

Fix coming

Despite Lobačevski’s blog and proof of concept exploits being published on August 21, 2023, the Notepad++ development team did not rush to respond to the situation until the user community pressed for its resolution.

Eventually, on August 30, 2023, a public issue was created to acknowledge the problem, and fixes for the four flaws made it into the main code branch on September 3, 2023.

Notepad++ 8.5.7 has now been released and should be installed to fix the four vulnerabilities and other bugs listed in the changelog.