Windows Notepad Markdown Link Validation Flaw Enables Arbitrary Command Execution
Microsoft patched a high-severity remote code execution issue in the modern Windows Notepad (Microsoft Store version) tracked as CVE-2026-20841, where improper validation of links in Markdown (.md) files can lead to arbitrary command execution in the context of the logged-in user. The flaw can be triggered when a victim opens a specially crafted Markdown file and clicks a rendered hyperlink; Notepad’s Markdown rendering/tokenization pipeline turns link text into interactive elements, and the click handler passes attacker-controlled link values onward with insufficient sanitization.
Technical reporting indicates Notepad forwards the link target to ShellExecuteExW() with only minimal filtering (e.g., stripping leading/trailing slashes), allowing malicious protocol URIs such as file:// and ms-appinstaller:// to be invoked via registered protocol handlers. Exploitation is primarily social-engineering driven (email, downloads, or other delivery mechanisms) and requires user interaction (opening the file and clicking the link), but can result in execution of attacker-chosen commands or loading attacker-controlled content depending on protocol handler behavior and system configuration; the issue was disclosed via Zero Day Initiative and credited to researchers including Cristian Papa and Alasdair Gorniak (Delta Obscura), with additional analysis referenced by third-party reporting.
Timeline
Feb 20, 2026
Public PoC released for Windows Notepad vulnerability
Public proof-of-concept code for CVE-2026-20841 was released on GitHub, demonstrating how a crafted Markdown file and malicious hyperlink could be used to trigger command execution in vulnerable modern Notepad versions. Reporting noted that no workaround was available and that user interaction was required for exploitation.
Feb 19, 2026
ZDI publishes technical analysis of Windows Notepad RCE
The Zero Day Initiative published a technical write-up on CVE-2026-20841, explaining that insufficient validation of Markdown link values in modern Windows Notepad could let crafted protocol URIs reach ShellExecuteExW() and trigger arbitrary command execution. The analysis described exploitation via a malicious .md file opened in Notepad and a user clicking a malicious link.
Feb 10, 2026
Microsoft patches CVE-2026-20841 in February 2026 updates
Microsoft fixed CVE-2026-20841, a high-severity remote code execution flaw in the modern Microsoft Store version of Windows Notepad, during the February 2026 Patch Tuesday cycle. The issue affects Notepad version 11.2508 and earlier, with patched builds reported as 11.2510 and later.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Affected Products
Sources
Related Stories
Windows Notepad Markdown Link Handling Flaw Enables Remote Code Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store) app, tracked as **CVE-2026-20841** (CVSS 8.8), caused by **command injection** (`CWE-77`) tied to improper neutralization of special elements used in commands. The weakness can be triggered when a user opens a booby-trapped **Markdown (`.md`)** file in Notepad and clicks an embedded malicious link; the app can be coerced into launching **unverified protocols** that load and execute remote content, resulting in code execution in the **security context of the logged-in user** (potentially full compromise if the user has admin rights).
3 weeks ago
ThreatsDay Bulletin Highlights Microsoft Notepad Markdown Link RCE (CVE-2026-20841)
Microsoft patched a **Windows Notepad** command-injection vulnerability, **CVE-2026-20841** (CVSS **8.8**), that can lead to **remote code execution** when a user opens a Markdown file in Notepad and clicks a crafted malicious link. The issue is described as improper neutralization of special elements used in a command, enabling an attacker to trigger execution of remote or local payloads in the **security context of the logged-in user**. Public proof-of-concept examples indicate the flaw can be exercised using Markdown `file://` links pointing to executables (e.g., `file://C:/windows/system32/cmd.exe`) and other special URI handlers. The reporting appears as part of a broader weekly “ThreatsDay” roundup that also references other, separate security stories (e.g., AI prompt injection/RCE themes and other malware/exploit items), but the concrete, actionable item consistently detailed is the Notepad Markdown-link RCE and its patch. A separate “Daily Cyber News” post discusses Microsoft releasing fixes for multiple exploited flaws across widely deployed products, but it does not specifically corroborate the Notepad CVE or the Markdown-link exploitation path described in the roundup, making it contextually related to Microsoft patching activity but not the same discrete vulnerability story.
1 months ago
Exploitation of MSHTML Security Feature Bypass Patched in Microsoft February Update
Microsoft’s February 2026 security update addressed **59 vulnerabilities** across Windows, Azure, Microsoft Office, and Visual Studio Code, including **5 Critical** issues. NSFOCUS reported that **six vulnerabilities were already being exploited in the wild**, including **MSHTML Framework Security Feature Bypass (CVE-2026-21513)**, **Windows Shell Security Feature Bypass (CVE-2026-21510)**, **Microsoft Word Security Feature Bypass (CVE-2026-21514)**, **Desktop Window Manager EoP (CVE-2026-21519)**, **Windows Remote Access Connection Manager DoS (CVE-2026-21525)**, and **Windows Remote Desktop Service EoP (CVE-2026-21533)**. Akamai attributed active exploitation of **CVE-2026-21513** to **APT28**, reporting the flaw affects all supported Windows versions and enables a **security feature bypass leading to arbitrary file execution** (CVSS **8.8**). Akamai’s root-cause analysis placed the issue in `ieframe.dll`, in the `_AttemptShellExecuteForHlinkNavigate` hyperlink-navigation path, where insufficient URL validation can allow attacker-controlled input to reach code paths invoking `ShellExecuteExW`, enabling execution outside the intended browser security context. Akamai also linked a malicious sample (reported as `document.doc.LnK.download`) to APT28-associated infrastructure and described use of a crafted **`.lnk`** that embeds an HTML file and contacts **`wellnesscaremed[.]com`** as part of the exploitation chain prior to Microsoft’s February patch release.
1 months ago