CVE-2026-52885 in Notepad++
Summary
by MITRE • 06/27/2026
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-memory _userCommands vector, which is populated at application startup and never re-synchronized with the on-disk file (Time-of-Use). Swapping shortcuts.xml between startup and command execution causes the HMAC check to validate a clean file while a malicious command runs. An attacker with write access to shortcuts.xml places a malicious version on disk before launch, then immediately restores the legitimate file. The HMAC check at execution time validates the restored legitimate file (check passes), while the malicious payload executes from memory. This vulnerability is fixed in 8.9.6.4.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/27/2026
The vulnerability in Notepad++ prior to version 8.9.6.4 represents a classic time-of-check to time-of-use race condition that enables privilege escalation through command injection. This flaw exists within the NppCommands.cpp component where the application performs HMAC validation on the shortcuts.xml configuration file at the moment a user command executes rather than at startup when the file is first loaded into memory. The technical implementation creates a window of opportunity between when the HMAC signature is validated against the on-disk file and when the actual command payload is executed from an in-memory vector structure, specifically the _userCommands vector that gets populated during application initialization and remains static throughout the session.
The operational impact of this vulnerability stems from the fact that attackers with write permissions to the shortcuts.xml file can exploit this race condition by manipulating the file content between application startup and command execution. During the application launch process, an attacker can replace the legitimate shortcuts.xml with a malicious version containing harmful command payloads, then quickly restore the original clean file before the command execution occurs. This technique allows the HMAC validation to pass successfully since it validates against the restored legitimate file while simultaneously executing the malicious code that was loaded into memory during the initial startup phase. The vulnerability directly maps to CWE-367 Time-of-Check to Time-of-Use Race Condition, where the security check occurs at a different point in time than when the resource is actually used.
This attack vector demonstrates a fundamental flaw in how Notepad++ handles configuration file validation and command execution synchronization. The application's architecture fails to maintain consistency between disk-based configuration data and in-memory command structures, creating an exploitable gap that allows attackers to bypass authentication mechanisms and execute arbitrary code with the privileges of the running Notepad++ process. The vulnerability is particularly concerning given Notepad++'s widespread use as a code editor where users might have elevated privileges or be working with sensitive files. From an adversarial perspective, this flaw aligns with ATT&CK technique T1059.001 Command and Scripting Interpreter where adversaries can execute malicious commands through legitimate system interfaces.
The fix implemented in version 8.9.6.4 addresses this vulnerability by synchronizing the validation process to ensure that HMAC checks occur against the same file content that will be used during command execution. This prevents the race condition by ensuring that the configuration file validation and payload execution are atomic operations, eliminating the window where an attacker could substitute malicious content between check and use phases. The mitigation strategy involves maintaining consistent state between disk-based configuration files and in-memory command structures, ensuring that any modifications to configuration files require either complete reinitialization of the command system or immediate re-validation of all loaded commands against current file contents.
This vulnerability highlights the importance of proper synchronization mechanisms in security-critical applications where configuration data influences execution behavior. The flaw underscores the necessity of implementing robust validation strategies that prevent attackers from exploiting temporal inconsistencies between security checks and resource usage, particularly in applications that dynamically load and execute user-defined commands. The remediation approach demonstrates the critical need for maintaining data integrity throughout application lifecycle operations, ensuring that validation processes remain effective regardless of when configuration changes might occur during execution phases.