Notepad++ < 7.7 (x64) - Denial of Service





# Exploit Title: Notepad++ all x64 versions before 7.7. Remote memory corruption via .ml file.
# Google Dork: N/A
# Date: 2019-09-14
# Exploit Author: Bogdan Kurinnoy (
# Vendor Homepage:
# Version: < 7.7
# Tested on: Windows x64
# CVE : CVE-2019-16294

# Description:

SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file. 

Open via affected notepad++ 

POC files:


(230.c64): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Notepad++\SciLexer.dll -
rax=00007ff8e64014c0 rbx=00000000000aaaaa rcx=00000000000aaaaa
rdx=0000000000000003 rsi=0000000000000000 rdi=00000000ffffffff
rip=00007ff8e63c071d rsp=000000aa06463d60 rbp=000000aa06463e81
r8=0000000000002fc8 r9=0000000000000000 r10=000000000000fde9
r11=000000aa06463d90 r12=0000000000000000 r13=0000000000000000
r14=0000000000000001 r15=0000000000000002
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
00007ff8e63c071d 0fb70458 movzx eax,word ptr [rax+rbx*2] ds:00007ff8e6556a14=????