Notepad++ 8.9.4 Fixes Vulnerability That Could Crash the App and Expose Memory Data

Notepad++ users should update to version 8.9.4 after maintainers fixed a security issue that could allow attackers to crash the application or expose memory address information.

The vulnerability is tracked as CVE-2026-3008 and affects Notepad++ 8.9.3. Singapore’s Cyber Security Agency says successful exploitation of the string injection flaw could let an attacker obtain memory address information or crash the application.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Notepad++ 8.9.4 also references CVE-2026-6539 in the same fix, along with several other crash-related bugs. The update was released on April 26, 2026.

What is the Notepad++ vulnerability?

The issue sits in the Find in Files feature. According to the official Notepad++ 8.9.4 release notes, the crash happens when the find-result-hits entry inside nativeLang.xml contains %s.

That sounds narrow, but it still matters for developers, administrators, and security teams who use Notepad++ every day. A crafted or modified language configuration file could trigger unstable behavior during search operations.

The main risk is not remote code execution. The confirmed impact is application crash and possible memory address disclosure. Still, memory leaks can help attackers plan follow-up attacks by weakening protections such as address randomization.

Affected version and fixed version

Users running Notepad++ 8.9.3 should install version 8.9.4 as soon as possible. Enterprise administrators should also check managed workstations because Notepad++ often runs outside centralized software inventories.

Users on older versions should update as well. The official advisory names 8.9.3 as affected, but older builds may also miss recent security hardening and crash fixes.

Why this matters for businesses

Notepad++ has a large footprint across developer machines, IT departments, support teams, and security operations. Even a crash-only flaw can disrupt work when the editor handles logs, scripts, configuration files, and incident response notes.

The memory disclosure angle gives the bug more weight. Memory address information can help attackers bypass protections in more complex exploit chains, especially when combined with other weaknesses.

This does not mean every Notepad++ user faces immediate compromise. It means organizations should treat the patch as a normal security update, not just a minor bug-fix release.

What Notepad++ 8.9.4 changes

Notepad++ 8.9.4 fixes the Find in Files crash tied to nativeLang.xml and the %s string. The official changelog lists the fix under issue #17960 and names both CVE-2026-3008 and CVE-2026-6539.

The same release also fixes a crash when dropping a file with a path length of 259 characters. It also addresses crashes linked to bad column editor input in virtual space.

The update includes other bug fixes and improvements, but the security-related Find in Files fix should be the priority for users and administrators.

What users should do now

• Update Notepad++ to version 8.9.4 from the official website.
• Avoid downloading installers from mirrors, repack sites, or unofficial software bundles.
• Check the installed version from the Notepad++ Help menu.
• Review systems that use custom nativeLang.xml files or language packs.
• Push the update through normal patch management tools in business environments.
• Monitor developer and admin workstations for repeated Notepad++ crashes.

For most users, installing version 8.9.4 should be enough. Teams that distribute customized Notepad++ language files should review those files and replace older builds quickly.

FAQ