CVE-2026-3008: Format String Injection in Notepad++ Localization Parser

CVE-2026-3008 is a format string injection vulnerability affecting Notepad++ version 8.9.3. The vulnerability resides in the application's localization system, specifically in how the Find Results panel retrieves and displays translated strings. The application relies on an external XML configuration file to populate user interface elements.

The specific component at fault is the string processing routine that handles the <find-result-hits> attribute. When a user performs a search operation, the application attempts to display the total number of hits by reading a localized template from nativeLang.xml. The application trusts the contents of this file implicitly and performs no structural validation on the retrieved string.

The vulnerability is classified as CWE-134 (Use of Externally-Controlled Format String). Exploitation requires local access or a social engineering component, as the victim must manually replace their legitimate language file with a malicious version. Once the file is in place, triggering any standard search operation activates the vulnerable code path.

The root cause of CVE-2026-3008 is the direct passage of an unvalidated string into the wsprintfW function as the format specifier argument. In the x64 binary of Notepad++ 8.9.3, the Find Results panel initializer is located at function sub_1400916C0. This function makes a call to sub_140099E60 to retrieve the localized string.

During string retrieval, the TinyXML parser extracts the value of the <find-result-hits> attribute from nativeLang.xml. The extracted value is loaded into a buffer without any sanitization or validation checks against unexpected format specifiers. The application assumes the localized string only contains the expected $INT_REPLACE$ or static text.

The application proceeds to execute wsprintfW at offset 0x140091E6D. The retrieved XML string is passed as the lpFmt argument rather than a data argument. Consequently, any standard C-style format specifiers present in the XML string are evaluated by the Windows API function.

The execution flow from XML parsing to the vulnerable API call demonstrates a classic externally-controlled format string flaw. The decompiled pseudocode of the vulnerable component highlights the exact mechanism of the vulnerability.

// Vulnerable code path in Notepad++ 8.9.3
sub_140099E60(v37, v51, *(unsigned int *)(a1 + 196));  // Extract localized string
v38 = (const WCHAR *)v51;
// ... string manipulation and SSO handling ...
wsprintfW((LPWSTR)(a1 + 0xC8), v38);                   // v38 used directly as format string

In a secure implementation, the retrieved string must be treated strictly as data. The developer should pass a static format string to wsprintfW and provide the user-controlled string as an additional argument. Alternatively, safer C++ string formatting libraries should be utilized to construct the final output.

The patch in version 8.9.4 remediates the vulnerability by altering how the UI element is populated. The format string is strictly defined within the compiled binary, ensuring that user-supplied configuration data cannot influence the execution of the wsprintfW instruction.

Exploiting CVE-2026-3008 requires the attacker to modify the nativeLang.xml file on the target system. In a standard installation, this file is located at %APPDATA%\Notepad++\nativeLang.xml, while portable installations store it in <npp_directory>\nativeLang.xml. The attacker targets the <find-result-hits> attribute within the <Native-Langue> block.

To induce a Denial of Service, the attacker injects multiple string format specifiers. A payload such as <find-result-hits value="%s%s%s%s%s%s%s%s hits"/> forces wsprintfW to treat values on the stack as pointers to null-terminated strings. Since these values are rarely valid memory addresses, the application attempts to dereference unmapped memory, resulting in an immediate Access Violation (C0000005) and application crash.

Information disclosure is achieved by using hexadecimal format specifiers. A payload such as <find-result-hits value="Leak: %016llx %016llx %016llx hits"/> instructs wsprintfW to read raw values from the stack and registers. When the user performs a search, these leaked memory addresses are rendered directly in the Find Results panel text.

Remote Code Execution (RCE) is not achievable through this specific vulnerability. The Microsoft implementation of wsprintfW explicitly omits support for the %n format specifier, which is traditionally used to write data to memory. Additionally, the function enforces a strict 1024-character output limit, preventing complex buffer overflow exploitation via the format string.

The primary impact of CVE-2026-3008 is a Denial of Service condition affecting the local application. An attacker can render the Find Results functionality entirely unusable, causing a crash whenever a document search is performed. This severely disrupts the core functionality of the text editor.

The secondary impact is Information Disclosure. The ability to leak stack memory and CPU registers provides an attacker with internal memory addresses. While limited in direct utility, these leaked addresses can be used to bypass security mitigations such as Address Space Layout Randomization (ASLR) in a chained exploit scenario.

The CVSS v3.1 score is evaluated at 6.6 (Medium), reflecting the Local attack vector and the High impact on Availability. The requirement for the victim to use a malicious configuration file reduces the overall severity compared to unauthenticated network vulnerabilities. The Exploit Prediction Scoring System (EPSS) places the probability of widespread exploitation at 0.01%, consistent with the specialized requirements of the attack.

The vulnerability is fully addressed in Notepad++ version 8.9.4. System administrators and users must update all installations to this version or newer. The update process replaces the vulnerable executable with a patched binary that safely handles localized strings.

In environments where immediate patching is not feasible, administrators can implement File Integrity Monitoring (FIM). Monitoring the nativeLang.xml file for unauthorized modifications limits the viability of the attack vector. Suspicious changes to the file, particularly the introduction of % characters in localization attributes, should be investigated.

Users who rely on community-provided language packs must exercise caution. Organizations should define a standard, approved configuration for Notepad++ and distribute it centrally, preventing users from installing untrusted XML configuration files.