New security flaw found in Microsoft Notepad courtesy of its latest “innovative” additions
Microsoft has confirmed a high severity Remote Code Execution vulnerability in the modern Notepad app for Windows 11, tracked as CVE-2026-20841 with a CVSS base score of 8.8. The issue is tied to command injection caused by improper handling of special elements inside Markdown links, which can let Notepad launch unverified protocol handlers. A crafted link in a Markdown file could fetch remote content and run it with the permissions of the user who opened the file.
Attackers would need to trick someone into opening a specially crafted Markdown file in Notepad and clicking a malicious link. The impact depends on the user’s privileges, since the code runs in that user’s security context. Microsoft rates the impact as high for confidentiality, integrity, and availability, with potential outcomes including data theft, unauthorized changes, and system instability.
The risk is closely tied to Notepad’s recent expansion beyond plain text editing in Windows 11, since Microsoft has added features like Markdown rendering and clickable links, along with tabs and autosave, not to mention several AI features courtesy of Copilot integration, meaning Notepad now parses structured content and interacts with system protocols in ways the classic version never did. In this case, Markdown link handling is exactly what created the opening for the vulnerability. Microsoft says it has not seen active exploitation, and the fix is rolling out as part of the February 2026 Patch Tuesday update through Windows Update and the Microsoft Store.
- Text Editor
- Free
- Proprietary
Related news
External links
- Windows Notepad App Remote Code Execution VulnerabilityMicrosoft Security Response Center • Official source
- Microsoft confirms 8.8-rated security issue in Windows 11 Notepad due to modernization efforts, Patch Tuesday fix rolling outWindows Latest
- Windows 11 Notepad flaw let files execute silently via Markdown linksBleeping Computer
- Microsoft patches concerning Windows 11 Notepad security flaw - Markdown issues could have let hackers slip in malware without warningTechRadar
- Windows 11 Notepad Bug Let Markdown Links Run Files Without WarninggHacks
Comments
Wow, and was hoping to use it for my writings?
Microsoft will never learn. Those active link vulnerabilities have been there since early versions of Internet Explorers in Windows 95. Stop processing links in every app. Forward them to browsers, that's it.
Your TV is watching you.
Your watch is tracking you.
Your toaster is listening you.
And nowadays, even your default text editor is spying on you.
Toaster is not listening yet. But your weather app is tracking and listening. I recently learned that the worst tracking offenders were weather apps on the phone. They create a detailed database of your activity based on GPS tracking and listening to other apps that are concurrently running. If you do not want to be tracked 24/7, do not run Weather all the time. Check the weather and immediately swipe the weather app away. Do not give it permission to load at boot/reboot.
"Your TV is watching you.".
There is a solution for that. Do not connect your TV to the Internet. Ever. Modern TVs have a chip that takes a snapshots of what you are watching even if you are connecting through an external device. So use streaming players only. There is still a choice of players, from mostly private and expensive to less private but collecting information only to target ads.
Info fom CVE website about this: "Severity: High (7.8/10)". For Notepad. For NOTEPAD!
They made Notepad something it was not supposed to be. What happened to Notepad that was there to dump some text to be looked at later? Now it connects to the Internet to run scripts (intentionally or not) and fetch data from databases? Isn't that what Office and other programs like that are for?