Zurück zur Übersicht

TRUMPF: Multiple products include a vulnerable version of Notepad++

VDE-2024-003
Last update
22.05.2025 15:03
Published at
23.01.2024 08:00
Vendor(s)
Trumpf SE + Co. KG
External ID
VDE-2024-003
CSAF Document
Download

Summary

The TRUMPF products that are listed above contain a vulnerable version of Notepad++. This version isbeing installed for support purposes only, so there is no danger of triggering this vulnerability inNotepad++ during normal operations. Nevertheless, TRUMPF recommends mitigation of thisvulnerability.When editing a specially crafted file containing UTF-8 characters in Notepad++ (Versions up to 8.5.6) and converting that file to UTF-16, a buffer overflow vulnerability can be exploited that allows an attacker to execute arbitrary code to take over the whole system.

Impact

A user who's editing and converting a specially crafted file using the vulnerable Notepad++ version inthe TRUMPF product listed above can allow an attacker to execute code on the local server. This canimpact confidentiality, integrity and availability of information on the affected system.

Affected Product(s)

Model no. Product name Affected versions
Oseon <=V3.0.24 Oseon <=V3.0.24
TruTops Fab (Storage) <=V22.7 TruTops Fab (Storage) <=V22.7

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:57
Severity
7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer write overflow in 'Utf8_16_Read::convert'. This issue may lead to arbitrary code execution. As of time of publication, no known patches are available in existing versions of Notepad++.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:57
Severity
5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in 'CharDistributionAnalysis::HandleOneChar'. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:57
Severity
5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to global buffer read overflow in 'nsCodingStateMachine::NextStater'. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++.

References
cve.org | nvd.nist.gov

Published
22.09.2025 14:57
Severity
5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weakness
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120)
Summary

Notepad++ is a free and open-source source code editor. Versions 8.5.6 and prior are vulnerable to heap buffer read overflow in 'FileManager::detectLanguageFromTextBegining '. The exploitability of this issue is not clear. Potentially, it may be used to leak internal memory allocation information. As of time of publication, no known patches are available in existing versions of Notepad++.

References
cve.org | nvd.nist.gov

Mitigation

For additional questions please contact your TRUMPF Service with the PR number 501709.

Remediation

Please download the replacement tool here.

Revision History

Version Date Summary
1 23.01.2024 08:00 Initial revision.
2 22.05.2025 15:03 Fix: quotation mark