Microsoft patched a critical remote code execution vulnerability in Windows Notepad that could let attackers hijack computers through malicious Markdown files. This follows other recent security incidents like threat groups hijacking Microsoft 365 accounts using OAuth device code exploits.
The flaw, tracked as CVE-2026-20841, affects the modern Notepad app distributed through the Microsoft Store.
Attackers could exploit it by creating specially crafted Markdown (.md) files containing malicious links. When users open these files in Notepad and click the links, arbitrary code executes on their systems.
Microsoft addressed the issue in its February 2026 Patch Tuesday security updates released on February 10. The company rated the flaw as "Important" with a CVSS v3.1 base score of 8.8 out of 10.
This security update comes alongside Microsoft's recent Windows 11 builds that include native Sysmon security monitoring tools.
According to Microsoft's Security Update Guide, the security flaw stems from improper neutralization of special elements in commands, classified as CWE-77: Command Injection. The modern Notepad app fails to properly clean up or block dangerous special characters when handling certain commands.
Successful exploitation would grant attackers the same privileges as the logged-in user. If the user has administrative rights, this could lead to full system compromise.
The attack requires users to open malicious Markdown files and interact with embedded links.
Microsoft reports no known public exploits at the time of the patch release. The company credits independent researchers Delta Obscura and "chen" for coordinated disclosure.
The patch rolled out through the Microsoft Store for Notepad version 11.2510 and later. Users must update manually or enable automatic app updates in Windows Settings.
Legacy Notepad.exe, the traditional Windows component, remains unaffected by this specific security issue.
This security problem highlights risks in everyday applications that handle rich text formats like Markdown. As Notepad evolves from a basic text editor into a feature-rich application with internet connectivity, its attack surface expands.
Some users have questioned Microsoft's decision to give network functionality to Notepad, especially since internet access remains mandatory for Copilot integration within the text editor.
Microsoft recommends users install the latest Windows updates and keep the Notepad app current through the Microsoft Store to protect against this flaw patched on February 10, 2026.
