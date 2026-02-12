Microsoft patches Windows 11 Notepad RCE flaw CVE-2026-20841

Vulnerability exploited Markdown links to execute malicious code with user permissions

Patch Tuesday update fixes issue; versions 11.2510 and earlier remain vulnerable

Microsoft has patched a remote code execution (RCE) flaw in Windows 11 Notepad which could have allowed threat actors to run malware locally without the OS prompting the user at all.

Notepad is one of the oldest programs on Windows, having been present since its inception - however, it has evolved throughout the years, and with Windows 11, it now supports the Markdown format, which uses symbols for formatting - for example, adding an asterisk before and after a word makes it italic, and two asterisks make it bold.

Markdown also supports clickable links, which is where the problem lies, as Microsoft's notes for its February 2026 Patch Tuesday cumulative update says it fixed an “improper neutralization of special elements used in a command” bug in Notepad, which could allow an attacker to run malicious code over a network.

Notepad phishing baits

The flaw is tracked as CVE-2026-20841 and was given a severity score of 8.8/10 (high).

"An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files," Microsoft said.

"The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user."

In other words, if a person Ctrl+clicks a malicious download link in a Notepad Markdown file, the action would automatically be executed, without any warning to the user. Therefore, Notepad files could easily be used in phishing attacks and business email compromise (BEC).

Vulnerable versions include 11.2510 and earlier, so make sure to double-check which version you are running. The bug should be automatically fixed with the Patch Tuesday update but until that happens, make sure not to click on any suspicious links in Notepad.

Via BleepingComputer

