Microsoft has patched a critical remote code execution (RCE) flaw in the Windows Notepad app, tracked as CVE-2026-20841, which could let attackers run malicious code on victims’ machines.
Disclosed on February 10, 2026, Microsoft Patch Tuesday updates, the vulnerability stems from improper neutralization of special elements in commands (CWE-77: Command Injection) and carries a CVSS v3.1 base score of 8.8/10, rated “Important.”
The bug affects the modern Windows Notepad app, available via the Microsoft Store. An unauthorized attacker could exploit it over a network by tricking users into opening a booby-trapped Markdown (.md) file.
Once loaded, a malicious link inside the file prompts the app to handle unverified protocols. Clicking the link triggers Notepad to fetch and execute remote files, injecting arbitrary commands without proper sanitization.
Attackers craft Markdown files with hyperlinks using custom schemes (e.g., mimicking safe protocols but pointing to attacker-controlled servers). When a user opens the file in Notepad and clicks the link, the app processes it naively, leading to command injection.
The payload executes in the logged-in user’s security context, granting attackers the same privileges – from file access to privilege escalation if the user has admin rights.
The patch rolled out via the Microsoft Store for Notepad (build 11.2510+), with full release notes and a direct security update link. Users must update manually or enable auto-updates, as it’s customer action required. Microsoft credits independent researchers Delta Obscura (delta.cyberm.ca) and “chen” for coordinated disclosure.
This flaw underscores risks in everyday apps that handle rich text, such as Markdown, especially as Notepad evolves from a basic editor into a feature-rich tool. While legacy Notepad.exe remains unaffected, the Store version’s popularity amplifies exposure.
Link Archive
Disclosed on February 10, 2026, Microsoft Patch Tuesday updates, the vulnerability stems from improper neutralization of special elements in commands (CWE-77: Command Injection) and carries a CVSS v3.1 base score of 8.8/10, rated “Important.”
The bug affects the modern Windows Notepad app, available via the Microsoft Store. An unauthorized attacker could exploit it over a network by tricking users into opening a booby-trapped Markdown (.md) file.
Once loaded, a malicious link inside the file prompts the app to handle unverified protocols. Clicking the link triggers Notepad to fetch and execute remote files, injecting arbitrary commands without proper sanitization.
Attackers craft Markdown files with hyperlinks using custom schemes (e.g., mimicking safe protocols but pointing to attacker-controlled servers). When a user opens the file in Notepad and clicks the link, the app processes it naively, leading to command injection.
The payload executes in the logged-in user’s security context, granting attackers the same privileges – from file access to privilege escalation if the user has admin rights.
The patch rolled out via the Microsoft Store for Notepad (build 11.2510+), with full release notes and a direct security update link. Users must update manually or enable auto-updates, as it’s customer action required. Microsoft credits independent researchers Delta Obscura (delta.cyberm.ca) and “chen” for coordinated disclosure.
This flaw underscores risks in everyday apps that handle rich text, such as Markdown, especially as Notepad evolves from a basic editor into a feature-rich tool. While legacy Notepad.exe remains unaffected, the Store version’s popularity amplifies exposure.
Mitigation Steps
- Update Notepad immediately from the Microsoft Store.
- Enable automatic app updates in Windows Settings.
- Avoid opening untrusted Markdown files or clicking links in them.
- Use an antivirus with behavior-based detection for anomalous protocol handlers.
Link Archive
