CVE-2022-31902
- Denial Of Service (DoS) in
Notepad++(x86)in8.4.3and before.
Description
- Vulnerability triggering, via opening a specially crafted text file (
e.g. first.txt) and then using optionsFind All in All Opened DocumentorFind All in Current Opened Documentunder Find options.
As an illustrative example below, as of 11/07/2022, latest version of Notepad++(x86) is 8.4.3 is used.
Proof of Concept -
- Open first.txt and Search for any character in Notepad++, and press
Find All in All Opened DocumentorFind All in Current Opened Documentbutton.
Result :
Visual Studio 2019 Dump Analysis
Here we can see, the problem is in ScintallComponent -> ScintillaWin.cxx-> Line number 3699.
Root Cause Analysis
-
When user uses the find functionality of notepad++ in
first.txt, it results in application to crash. -
Notepad++ calls a function finder::add in findReplaceDlg.cpp file which calls push_back(foundinfo) function, which internally calls for memory allocation of size 4bf21 .
-
Due to lack of memory, the
new_operatoris unable to allocate the memory and returns bad_alloc. -
So we can say that, Searching for a character in
first.txtusingFind All in All Opened Documentbutton, leading to Denial of Service.
Tested Versions
The vulnerability is tested to work on following version:
- Notepad++ 8.3.2 32-bit
- Notepad++ 8.3.3 32-bit.
- Notepad++ 8.4.0 32-bit.
- Notepad++ 8.4.1 32-bit.
- Notepad++ 8.4.2 32-bit.
- Notepad++ 8.4.3 32-bit.
Tested Environment
- Windows 11 - 22563.1000 64 bit
- Windows 10 - 10.0.19042.1586 64-bit
- Windows 10 - 10.0.19044.1706 64-bit
Update
- As of 05-01-2023, this issue still persists in the
Notepad++ versions 8.4.8 (32-bit) and before. - As of 01-02-2023, this issue still persists in the
Notepad++ versions 8.4.9 (32-bit) and before.



