Notebook Pro 2.0 Denial of Service via Notebook Name Field
Description
Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Attackers can create a malicious text file containing 500 or more characters, paste the content into the New Notebook Name field, and trigger an application crash when attempting to create and save the notebook.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Notebook Pro 2.0 crashes when a user pastes a string of 500+ characters into the New Notebook Name field during notebook creation.
Vulnerability
Notebook Pro 2.0, a Windows 10 application available from the Microsoft Store, contains a denial of service vulnerability in the notebook creation dialog. When a user supplies an excessively long string (500 or more characters) into the New Notebook Name field, the application crashes upon clicking "Create & Save". The issue is triggered by pasting the long string into the input field; no authentication or special privileges are required beyond local access to the system. Affected version: Notebook Pro 2.0 as distributed at the time of the disclosure (September 2018) [1], [2].
Exploitation
An attacker with local access to a Windows 10 system can craft a text file containing 500 or more identical characters (e.g., 'A' * 500) using a Python script or any text editor. The attacker then opens Notebook Pro 2.0, clicks "New" to create a new notebook, and pastes the content of the malicious file into the New Notebook Name field. When the attacker clicks "Create & Save", the application crashes immediately [1], [2]. No user interaction beyond the victim performing these same steps is required if the attacker can convince the victim to open the app and paste the string.
Impact
Successful exploitation causes Notebook Pro 2.0 to terminate unexpectedly, resulting in a denial of service. The application becomes unavailable for the current session, and any unsaved work may be lost. The crash does not appear to allow code execution, privilege escalation, or persistent data corruption beyond the loss of unsaved notes. The impact is limited to local disruption of the application [1], [2].
Mitigation
As of the available references (2018), no official patch or advisory from the vendor (Stoked On It) has been published. Users are advised to avoid pasting untrusted or excessively long strings into the New Notebook Name field. If the application is still in use, consider limiting local access to trusted users only. The vendor's product page and store listing may provide future updates; however, no fixed version is documented [1], [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the notebook name field allows an excessively long string to overflow a buffer or exhaust resources, causing a crash."
Attack vector
A local attacker creates a text file containing 500 or more characters (e.g., 500 'A' characters) using a Python script [ref_id=1]. The attacker then launches Notebook Pro 2.0 on Windows 10, clicks "New" and then the notebook button to create a new notebook, and pastes the malicious string into the "New NoteBook Name" field. When the attacker clicks "Create & Save", the application crashes due to an inability to handle the excessively long input [ref_id=1].
Affected code
The advisory does not specify the exact function or file path within Notebook Pro 2.0 that is at fault. The vulnerability is triggered through the "New NoteBook Name" text input field in the application's user interface.
What the fix does
No patch or vendor fix is documented in the available references. The advisory does not indicate that the vendor has released an update to address this issue. Remediation would require the developer to implement input validation that limits the length of the notebook name field to a safe maximum before processing the create-and-save operation.
Preconditions
- authAttacker must have local access to a Windows 10 system with Notebook Pro 2.0 installed.
- inputAttacker must be able to copy text from a file and paste it into the application's input field.
Reproduction
1. Run the provided Python exploit script to generate a file named "Notebook.txt" containing 500 'A' characters [ref_id=1]. 2. Launch Notebook Pro 2.0 on Windows 10. 3. Click "New" and then click the notebook button to create a new notebook. 4. Paste the content of "Notebook.txt" into the "New NoteBook Name" field. 5. Click "Create & Save". The application will crash immediately [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/45420mitreexploit
- www.vulncheck.com/advisories/notebook-pro-denial-of-service-via-notebook-name-fieldmitrethird-party-advisory
News mentions
0No linked articles in our index yet.