- Microsoft fixes Windows 11 Notepad RCE bug CVE-2026-20841
- The vulnerability exploited Markdown links to execute malicious code with user permissions
- Patch Tuesday update fixes the issue; versions 11.2510 and earlier remain vulnerable
Microsoft has fixed an RCE (Remote Code Execution) bug in Windows 11 Notepad that could have allowed threat actors to run malware locally without the operating system even prompting the user.
Notepad is one of the oldest programs on Windows, having been around since its inception – however it has evolved over the years, and with Windows 11 it now supports the Markdown format, which uses symbols for formatting – for example, adding an asterisk before and after a word makes it italic, and two stars make it bold.
Markdown also supports clickable links, which is where the problem lies, as Microsoft’s notes for the February 2026 Patch Tuesday cumulative update say it fixed an “improper neutralization of special elements used in a command” bug in Notepad that could allow an attacker to run malicious code over a network.
Notepad phishing bait
The bug is tracked as CVE-2026-20841 and received a severity score of 8.8/10 (high).
“An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unauthenticated protocols that load and execute remote files,” Microsoft said.
“The malicious code will run in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.”
In other words, if someone Ctrl+clicks on a malicious download link in a Notepad Markdown file, the action will be automatically performed without any warning to the user. Therefore, Notepad files could easily be used for phishing attacks and business email compromise (BEC).
Vulnerable versions include 11.2510 and earlier, so be sure to double check which version you’re running. The bug should be automatically fixed with the Patch Tuesday update, but until that happens, make sure you don’t click on any suspicious links in Notepad.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
