Microsoft has fastened a “distant code execution” vulnerability in Home windows 11 Notepad that allowed attackers to execute native or distant packages by tricking customers into clicking specifically crafted Markdown hyperlinks, with out displaying any Home windows safety warnings.
With the discharge of Home windows 1.0, Microsoft launched Notepad, a easy, easy-to-use textual content editor that, through the years, turned standard for rapidly jotting notes, studying textual content information, creating to-do lists, or performing as a code editor.
For individuals who wanted a wealthy textual content format (RTF) editor that supported totally different fonts, sizes, and formatting instruments like daring, italics, and lists, you could possibly use Home windows Write and later WordPad.
Nonetheless, with the discharge of Home windows 11, Microsoft determined to discontinue WordPad and take away it from Home windows.
As an alternative, Microsoft rewrote Notepad to modernize it so it might act as each a easy textual content editor and an RTF editor, including Markdown assist that allows you to format textual content and insert clickable hyperlinks.
Markdown assist means Notepad can open, edit, and save Markdown information (.md), that are plain textual content information that use easy symbols to format textual content and characterize lists or hyperlinks.
For instance, to daring textual content or create a clickable hyperlink, you’ll add the next markdown textual content:
**That is daring textual content**
[Link to BleepingComputer](https://www.bleepingcomputer.com/)Microsoft fixes Home windows Notepad RCE flaw
As a part of the February 2026 Patch Tuesday updates, Microsoft disclosed that it fastened a high-severity Notepad distant code execution flaw tracked as CVE-2026-20841.
“Improper neutralization of particular components utilized in a command (‘command injection’) in Home windows Notepad App permits an unauthorized attacker to execute code over a community,” explains Microsoft’s safety bulletin.
Microsoft has attributed the invention of the flaw to Cristian Papa, Alasdair Gorniak, and Chen, and says it may be exploited by tricking a person into clicking a malicious Markdown hyperlink.
“An attacker might trick a person into clicking a malicious hyperlink inside a Markdown file opened in Notepad, inflicting the appliance to launch unverified protocols that load and execute distant information,” explains Microsoft.
“The malicious code would execute within the safety context of the person who opened the Markdown file, giving the attacker the identical permissions as that person,” continued the Advisory.
The novelty of the flaw rapidly drew consideration on social media, with cybersecurity researchers rapidly determining the way it labored and the way straightforward it was to take advantage of.
All somebody needed to do was create a Markdown file, like check.md, and create file:// hyperlinks that pointed to executable information or used particular URIs like ms-appinstaller://.
Supply: BTtea
If a person opened this Markdown file in Home windows 11 Notepad variations 11.2510 and earlier and seen it in Markdown mode, the above textual content would seem as a clickable hyperlink. If the hyperlink is clicked with Ctrl+click on, it could robotically execute the file with out Home windows displaying a warning to the person.
The execution of this system with no warning is what Microsoft considers to be the distant code execution flaw.
Supply: BTtea
This might doubtlessly permit attackers to create hyperlinks to information in distant SMB shares that may then be executed with out warning.
In BleepingComputer’s checks, Microsoft has now fastened the Home windows 11 Notepad flaw by displaying warnings when clicking a hyperlink if it doesn’t use the http:// or https:// protocol.
Supply: BleepingComputer
Now, when clicking on all different kinds of URI hyperlinks, together with file:, ms-settings:, ms-appinstaller, mailto:, and ms-search:, Notepad will show the above dialog.
Nonetheless, it is unclear why Microsoft did not simply stop non-standard hyperlinks within the first place, as it’s nonetheless doable to social engineer customers into clicking the ‘Sure’ button on the prompts.
The excellent news is that Home windows 11 will robotically replace Notepad by way of the Microsoft Retailer, so the flaw will seemingly haven’t any affect past its novelty.
Trendy IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, find out how your group can scale back hidden handbook delays, enhance reliability by means of automated response, and construct and scale clever workflows on prime of instruments you already use.
