CVE-2023-40031: Buffer Overflow Vulnerability in Notepad++

CVE-2023-40031

Notepad++ is a renowned open-source code editor. Given its vast user base, security researchers have scrutinized it, unveiling numerous vulnerabilities. Among these, a particular flaw (CVE-2023-40031) has received a CVSS rating of 7.8 out of 10, categorizing it as a high-risk vulnerability.

Regrettably, researchers had already reported this flaw to the developers at the end of April 2023. Yet, even after the release of Notepad++ v8.5.6, the vulnerability remained unaddressed.

CVE-2023-40031

Given that more than three months have elapsed since notifying the developers, researchers have opted to disclose the vulnerability and its proof-of-concept publicly. This decision aims to heighten security awareness among Notepad++ users and to prompt its developers to instigate the necessary repairs.

The following is the vulnerability information:
  • CVE-2023-40031 (CVSS score of 7.8): heap buffer write overflow in `Utf8_16_Read::convert`. This issue may lead to arbitrary code execution.
  • CVE-2023-40036 (CVSS score of 5.5): global buffer read overflow in `CharDistributionAnalysis::HandleOneChar`. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information.
  • CVE-2023-40164 (CVSS score of 5.5): global buffer read overflow in `nsCodingStateMachine::NextStater`. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information.
  • CVE-2023-40166 (CVSS score of 5.5): heap buffer read overflow in `FileManager::detectLanguageFromTextBegining `. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information.