New security flaw found in Microsoft Notepad courtesy of its latest “innovative” additions

Microsoft has confirmed a high severity Remote Code Execution vulnerability in the modern Notepad app for Windows 11, tracked as CVE-2026-20841 with a CVSS base score of 8.8. The issue is tied to command injection caused by improper handling of special elements inside Markdown links, which can let Notepad launch unverified protocol handlers. A crafted link in a Markdown file could fetch remote content and run it with the permissions of the user who opened the file.

Attackers would need to trick someone into opening a specially crafted Markdown file in Notepad and clicking a malicious link. The impact depends on the user’s privileges, since the code runs in that user’s security context. Microsoft rates the impact as high for confidentiality, integrity, and availability, with potential outcomes including data theft, unauthorized changes, and system instability.

The risk is closely tied to Notepad’s recent expansion beyond plain text editing in Windows 11, since Microsoft has added features like Markdown rendering and clickable links, along with tabs and autosave, not to mention several AI features courtesy of Copilot integration, meaning Notepad now parses structured content and interacts with system protocols in ways the classic version never did. In this case, Markdown link handling is exactly what created the opening for the vulnerability. Microsoft says it has not seen active exploitation, and the fix is rolling out as part of the February 2026 Patch Tuesday update through Windows Update and the Microsoft Store.