Microsoft has resolved a significant security flaw in the Windows 11 Notepad application that enabled attackers to execute software remotely without triggering standard operating system warnings. The vulnerability, catalogued as CVE-2026-20841, resided in the updated Notepad version equipped with Markdown capabilities. This modernized text editor, which replaced the now-defunct WordPad, allows users to insert formatted text and clickable hyperlinks within Markdown documents.
The issue permitted malicious actors to embed specially crafted file:// links or non-standard URIs within seemingly harmless .md files. When a victim opened such a file in vulnerable Notepad versions and clicked the link while holding the Control key, the linked program would launch immediately. No security dialog or user consent prompt appeared during this process, creating a silent command execution vector.
Attackers could potentially leverage this technique to run executables from remote network locations without any verification. Microsoft credited independent researchers for discovering and reporting the flaw. The company's security advisory described it as a command injection weakness exploitable over networks through social engineering tactics.
Following the February 2026 Patch Tuesday updates, the corrected Notepad now displays warning dialogues for any links not using standard http:// or https:// protocols. This includes file:, ms-settings:, and mailto: URI types. While some security researchers question why these protections were not implemented initially, the automatic update mechanism through the Microsoft Store ensures most users are already protected without manual intervention.
Read more...