https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
Microsoft has fixed a critical remote code execution vulnerability in Windows 11 Notepad that allowed attackers to execute local or remote programs silently by luring users into clicking specially crafted Markdown links. The flaw, tracked as CVE-2026-20841, exploited Notepad’s new Markdown support feature, which lets users create clickable links within text files. Malicious actors could embed links to executable files or app installers that, when clicked, would run automatically without triggering any Windows security warnings, putting users’ systems at risk.
The vulnerability was discovered by security researchers who exposed how attackers could deceive users into opening Markdown files containing unsafe links. The flaw allowed commands to execute in the context of the signed-in user, meaning malicious code would inherit their permissions.
Microsoft addressed the issue in its February 2026 Patch Tuesday update, introducing warnings for non-standard link protocols such as file:, ms-settings:, and ms-appinstaller:, although users still need to manually approve these prompts to prevent code execution.
While the update improves security by alerting users before opening potentially dangerous links, it still remains possible to social engineer victims into approving the execution. Microsoft’s approach leaves room for improvement, as completely blocking non-HTTP/HTTPS links might further reduce risk. Windows 11’s ability to automatically update Notepad through the Microsoft Store means most users will receive this fix seamlessly, minimising the vulnerability’s impact.