Microsoft has mounted a “distant code execution” vulnerability in Home windows 11 Notepad that allowed attackers to execute native or distant packages by tricking customers into clicking specifically crafted Markdown hyperlinks, with out displaying any Home windows security warnings.
With the discharge of Home windows 1.0, Microsoft launched Notepad, a easy, easy-to-use textual content editor that, over time, grew to become widespread for shortly jotting notes, studying textual content information, creating to-do lists, or performing as a code editor.
For many who wanted a wealthy textual content format (RTF) editor that supported completely different fonts, sizes, and formatting instruments like daring, italics, and lists, you possibly can use Home windows Write and later WordPad.
Nonetheless, with the discharge of Home windows 11, Microsoft determined to discontinue WordPad and take away it from Home windows.
As an alternative, Microsoft rewrote Notepad to modernize it so it might act as each a easy textual content editor and an RTF editor, including Markdown help that permits you to format textual content and insert clickable hyperlinks.
Markdown help means Notepad can open, edit, and save Markdown information (.md), that are plain textual content information that use easy symbols to format textual content and signify lists or hyperlinks.
For instance, to daring textual content or create a clickable hyperlink, you’d add the next markdown textual content:
**That is daring textual content**
[Link to BleepingComputer](https://www.bleepingcomputer.com/)
Microsoft fixes Home windows Notepad RCE flaw
As a part of the February 2026 Patch Tuesday updates, Microsoft disclosed that it mounted a high-severity Notepad distant code execution flaw tracked as CVE-2026-20841.
“Improper neutralization of particular parts utilized in a command (‘command injection’) in Home windows Notepad App permits an unauthorized attacker to execute code over a community,” explains Microsoft’s security bulletin.
Microsoft has attributed the invention of the flaw to Cristian Papa, Alasdair Gorniak, and Chen, and says it may be exploited by tricking a person into clicking a malicious Markdown hyperlink.
“An attacker might trick a person into clicking a malicious hyperlink inside a Markdown file opened in Notepad, inflicting the applying to launch unverified protocols that load and execute distant information,” explains Microsoft.
“The malicious code would execute within the security context of the person who opened the Markdown file, giving the attacker the identical permissions as that person,” continued the Advisory.
The novelty of the flaw shortly drew consideration on social media, with cybersecurity researchers shortly determining the way it labored and the way straightforward it was to use.
All somebody needed to do was create a Markdown file, like take a look at.md, and create file:// hyperlinks that pointed to executable information or used particular URIs like ms-appinstaller://.
Supply: BTtea
If a person opened this Markdown file in Home windows 11 Notepad variations 11.2510 and earlier and considered it in Markdown mode, the above textual content would seem as a clickable hyperlink. If the hyperlink is clicked with Ctrl+click on, it might robotically execute the file with out Home windows displaying a warning to the person.
The execution of this system and not using a warning is what Microsoft considers to be the distant code execution flaw.
Supply: BTtea
This might doubtlessly permit attackers to create hyperlinks to information in distant SMB shares that might then be executed with out warning.
In BleepingComputer’s checks, Microsoft has now mounted the Home windows 11 Notepad flaw by displaying warnings when clicking a hyperlink if it doesn’t use the http:// or https:// protocol.
Supply: BleepingComputer
Now, when clicking on all different varieties of URI hyperlinks, together with file:, ms-settings:, ms-appinstaller, mailto:, and ms-search:, Notepad will show the above dialog.
Nonetheless, it is unclear why Microsoft did not simply forestall non-standard hyperlinks within the first place, as it’s nonetheless attainable to social engineer customers into clicking the ‘Sure’ button on the prompts.
The excellent news is that Home windows 11 will robotically replace Notepad through the Microsoft Retailer, so the flaw will probably haven’t any influence past its novelty.
Fashionable IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, find out how your crew can scale back hidden handbook delays, enhance reliability by automated response, and construct and scale clever workflows on prime of instruments you already use.
