Windows Notepad Markdown Link Handling Flaw Enables Remote Code Execution
Microsoft patched a high-severity remote code execution issue in the modern Windows Notepad (Microsoft Store) app, tracked as CVE-2026-20841 (CVSS 8.8), caused by command injection (CWE-77) tied to improper neutralization of special elements used in commands. The weakness can be triggered when a user opens a booby-trapped Markdown (.md) file in Notepad and clicks an embedded malicious link; the app can be coerced into launching unverified protocols that load and execute remote content, resulting in code execution in the security context of the logged-in user (potentially full compromise if the user has admin rights).
Timeline
Feb 13, 2026
Advisory reports public PoC for CVE-2026-20841
A February 13, 2026 advisory stated that proof-of-concept exploit code for CVE-2026-20841 was already public, raising the likelihood of real-world exploitation. The advisory reiterated that the flaw affected Microsoft Store Notepad versions 11.0.0 through before 11.2510 and urged users to update.
Feb 10, 2026
Microsoft says no active exploitation of the Notepad flaw is known
In its disclosure and patching information, Microsoft indicated there were no known in-the-wild exploitation cases for CVE-2026-20841 at the time of release. Multiple reports noted the attack still required user interaction and social engineering.
Feb 10, 2026
Notepad update adds warnings for non-HTTP(S) Markdown links
As part of the fix, Microsoft changed Notepad so clicking non-http/https links now triggers a warning instead of silently launching unverified protocols. The update was shipped via Microsoft Store in Notepad build 11.2510+.
Feb 10, 2026
Microsoft discloses and patches CVE-2026-20841 on Patch Tuesday
On February 10, 2026, Microsoft disclosed and fixed CVE-2026-20841, a CVSS 8.8 remote code execution flaw in the Microsoft Store version of Notepad. The issue allowed malicious Markdown links using unverified protocols to execute local or remote content in the user's security context.
Feb 10, 2026
Researchers coordinate disclosure of Notepad RCE flaw
Independent researchers Delta Obscura and "chen" reported a command-injection vulnerability in Windows Notepad's Markdown link handling to Microsoft. The flaw was later assigned CVE-2026-20841.
May 1, 2025
Microsoft rolls out Markdown support in Notepad
Microsoft began rolling out Markdown functionality in Notepad, introducing the feature later tied to the remote code execution issue. This product change provided the attack surface abused by CVE-2026-20841.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
2 more from sources like bleeping computer and register security
Related Stories
Windows Notepad Markdown Link Validation Flaw Enables Arbitrary Command Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store version) tracked as **CVE-2026-20841**, where improper validation of links in Markdown (`.md`) files can lead to arbitrary command execution in the context of the logged-in user. The flaw can be triggered when a victim opens a specially crafted Markdown file and clicks a rendered hyperlink; Notepad’s Markdown rendering/tokenization pipeline turns link text into interactive elements, and the click handler passes attacker-controlled link values onward with insufficient sanitization. Technical reporting indicates Notepad forwards the link target to `ShellExecuteExW()` with only minimal filtering (e.g., stripping leading/trailing slashes), allowing malicious protocol URIs such as `file://` and `ms-appinstaller://` to be invoked via registered protocol handlers. Exploitation is primarily social-engineering driven (email, downloads, or other delivery mechanisms) and requires user interaction (opening the file and clicking the link), but can result in execution of attacker-chosen commands or loading attacker-controlled content depending on protocol handler behavior and system configuration; the issue was disclosed via **Zero Day Initiative** and credited to researchers including Cristian Papa and Alasdair Gorniak (Delta Obscura), with additional analysis referenced by third-party reporting.
1 months ago
ThreatsDay Bulletin Highlights Microsoft Notepad Markdown Link RCE (CVE-2026-20841)
Microsoft patched a **Windows Notepad** command-injection vulnerability, **CVE-2026-20841** (CVSS **8.8**), that can lead to **remote code execution** when a user opens a Markdown file in Notepad and clicks a crafted malicious link. The issue is described as improper neutralization of special elements used in a command, enabling an attacker to trigger execution of remote or local payloads in the **security context of the logged-in user**. Public proof-of-concept examples indicate the flaw can be exercised using Markdown `file://` links pointing to executables (e.g., `file://C:/windows/system32/cmd.exe`) and other special URI handlers. The reporting appears as part of a broader weekly “ThreatsDay” roundup that also references other, separate security stories (e.g., AI prompt injection/RCE themes and other malware/exploit items), but the concrete, actionable item consistently detailed is the Notepad Markdown-link RCE and its patch. A separate “Daily Cyber News” post discusses Microsoft releasing fixes for multiple exploited flaws across widely deployed products, but it does not specifically corroborate the Notepad CVE or the Markdown-link exploitation path described in the roundup, making it contextually related to Microsoft patching activity but not the same discrete vulnerability story.
1 months ago
Exploitation of MSHTML Security Feature Bypass Patched in Microsoft February Update
Microsoft’s February 2026 security update addressed **59 vulnerabilities** across Windows, Azure, Microsoft Office, and Visual Studio Code, including **5 Critical** issues. NSFOCUS reported that **six vulnerabilities were already being exploited in the wild**, including **MSHTML Framework Security Feature Bypass (CVE-2026-21513)**, **Windows Shell Security Feature Bypass (CVE-2026-21510)**, **Microsoft Word Security Feature Bypass (CVE-2026-21514)**, **Desktop Window Manager EoP (CVE-2026-21519)**, **Windows Remote Access Connection Manager DoS (CVE-2026-21525)**, and **Windows Remote Desktop Service EoP (CVE-2026-21533)**. Akamai attributed active exploitation of **CVE-2026-21513** to **APT28**, reporting the flaw affects all supported Windows versions and enables a **security feature bypass leading to arbitrary file execution** (CVSS **8.8**). Akamai’s root-cause analysis placed the issue in `ieframe.dll`, in the `_AttemptShellExecuteForHlinkNavigate` hyperlink-navigation path, where insufficient URL validation can allow attacker-controlled input to reach code paths invoking `ShellExecuteExW`, enabling execution outside the intended browser security context. Akamai also linked a malicious sample (reported as `document.doc.LnK.download`) to APT28-associated infrastructure and described use of a crafted **`.lnk`** that embeds an HTML file and contacts **`wellnesscaremed[.]com`** as part of the exploitation chain prior to Microsoft’s February patch release.
1 months ago