Wiz
Vulnerability DatabaseCVE-2023-40166

CVE-2023-40166
Notepad++ vulnerability analysis and mitigation

Overview

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer read overflow in FileManager::detectLanguageFromTextBegining. The vulnerability was discovered and reported by GHSL team member Jaroslav Lobačevski in April 2023, and was assigned CVE-2023-40166 with a CVSS v3.1 score of 5.5 (Medium) (NVD, GitHub Security Lab).

Technical details

The vulnerability occurs in the FileManager::detectLanguageFromTextBegining function where it advances the data pointer until a non-space character is detected or lenFile is reached. When the latter case occurs, the code continues reading 32 bytes (40 - 8, the extra padding added for incomplete multibyte character case) past the end of the data buffer. This happens because there is no check that the value of i + longestLength is still less than dataLen at the end of the loop (GitHub Security Lab).

Impact

The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information (NVD, Security Online).

Mitigation and workarounds

As of the time of publication, no known patches are available in existing versions of Notepad++ (NVD).

Additional resources

SourceThis report was generated using AI

Related Notepad++ vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2023-47452HIGH7.8
  • Notepad++Notepad++
  • cpe:2.3:a:notepad-plus-plus:notepad\+\+
NoYesNov 30, 2023
CVE-2023-6401HIGH7.8
  • Notepad++Notepad++
  • cpe:2.3:a:notepad-plus-plus:notepad\+\+
NoYesNov 30, 2023
CVE-2025-49144HIGH7.3
  • Notepad++Notepad++
  • cpe:2.3:a:notepad-plus-plus:notepad\+\+
NoYesJun 23, 2025
CVE-2023-40166MEDIUM5.5
  • Notepad++Notepad++
  • cpe:2.3:a:notepad-plus-plus:notepad\+\+
NoYesAug 25, 2023
CVE-2023-40164MEDIUM5.5
  • Notepad++Notepad++
  • cpe:2.3:a:notepad-plus-plus:notepad\+\+
NoYesAug 25, 2023

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo