Windows Notepad Flaw Allows Remote Code Execution by Attackers

Microsoft has released a patch addressing a critical remote code execution (RCE) flaw discovered in the Windows Notepad app. Tracked as CVE-2026-20841, this vulnerability could enable attackers to execute malicious code on compromised systems.

Disclosed on February 10, 2026, Microsoft Patch Tuesday updates, the vulnerability stems from improper neutralization of special elements in commands (CWE-77: Command Injection) and carries a CVSS v3.1 base score of 8.8/10, rated “Important.”

The bug affects the modern Windows Notepad app, available via the Microsoft Store. An unauthorized attacker could exploit it over a network by tricking users into opening a booby-trapped Markdown (.md) file.

Once loaded, a malicious link inside the file prompts the app to handle unverified protocols. Clicking the link triggers Notepad to fetch and execute remote files, injecting arbitrary commands without proper sanitization.

Attackers craft Markdown files with hyperlinks using custom schemes (e.g., mimicking safe protocols but pointing to attacker-controlled servers). When a user opens the file in Notepad and clicks the link, the app processes it naively, leading to command injection.

The payload executes in the logged-in user’s security context, granting attackers the same privileges – from file access to privilege escalation if the user has admin rights.

The patch rolled out via the Microsoft Store for Notepad (build 11.2510+), with full release notes and a direct security update link. Users must update manually or enable auto-updates, as it’s customer action required. Microsoft credits independent researchers Delta Obscura (delta.cyberm.ca) and “chen” for coordinated disclosure.

This flaw underscores risks in everyday apps that handle rich text, such as Markdown, especially as Notepad evolves from a basic editor into a feature-rich tool. While legacy Notepad.exe remains unaffected, the Store version’s popularity amplifies exposure.

Mitigation Steps

• Update Notepad immediately from the Microsoft Store.
• Enable automatic app updates in Windows Settings.
• Avoid opening untrusted Markdown files or clicking links in them.
• Use an antivirus with behavior-based detection for anomalous protocol handlers.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.