PT-2025-26588 · Unknown · Notepadnext
Titan Team
·
Published
2025-06-23
·
Updated
2025-06-23
·
CVE-2025-52938
CVSS v4.0
5.1
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:A/V:D/RE:M/U:Amber |
Name of the Vulnerable Software and Affected Versions:
NotepadNext versions through v0.11
Description:
The issue is an Out-of-bounds Read vulnerability in the NotepadNext Lua Parser Module, specifically affecting the
singlevar() function in lparser.c. This vulnerability can lead to a heap-based buffer over-read, potentially impacting systems that compile untrusted Lua code. The luaK exp2anyregup call is lacking in the singlevar() function, causing this issue.Recommendations:
For versions through v0.11, consider disabling the
singlevar() function in lparser.c as a temporary workaround to minimize the risk of exploitation. Restrict access to untrusted Lua code compilation to reduce the potential impact of this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Notepadnext