CVE-2023-40031

HIGH

Notepad++ < 8.5.6 - Heap-based Buffer Overflow in Utf8_16_Read::convert

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-40031. PoCs published by webraybtl.

AI-analyzed exploit summary This repository provides a technical analysis of CVE-2023-40031, a heap buffer overflow vulnerability in Notepad++'s Utf8_16_Read::convert function during UTF-16 to UTF-8 conversion. It includes details on the root cause, affected versions, and reproduction environment but lacks actual exploit code.

Description

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer write overflow in `Utf8_16_Read::convert`. This issue may lead to arbitrary code execution. As of time of publication, no known patches are available in existing versions of Notepad++.

Exploits (1)

nomisec WRITEUP 15 stars

by webraybtl · poc

https://github.com/webraybtl/CVE-2023-40031

View Code ZIP pw:eip

This repository provides a technical analysis of CVE-2023-40031, a heap buffer overflow vulnerability in Notepad++'s Utf8_16_Read::convert function during UTF-16 to UTF-8 conversion. It includes details on the root cause, affected versions, and reproduction environment but lacks actual exploit code.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Notepad++ <=8.5.6

No auth needed

Prerequisites: Vulnerable version of Notepad++ installed · Ability to deliver crafted input to the application

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__/

Scores

CVSS v3 7.8

EPSS 0.0049

EPSS Percentile 38.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-122 CWE-120

Status published

Products (1)

notepad-plus-plus/notepad\+\+ < 8.5.6

Published Aug 25, 2023

Tracked Since Feb 18, 2026