As part of its February 2026 Patch Tuesday release cycle, Microsoft has fixed a high-severity remote code execution (RCE) vulnerability in the current Windows Notepad application, tracked as CVE-2026-20841 This article explores security context markdown. . First identified by Cristian Papa and Alasdair Gorniak of Delta Obscura, the command injection vulnerability was later thoroughly examined by Nikolai Skliarenko and Yazhi Wang of the TrendAI Research team.

Find out more about VPN services. Malware-free coding techniques By fooling the user into opening a specially created Markdown file and clicking on a malicious hyperlink, successful exploitation enables an attacker to carry out arbitrary commands in the victim's account's security context.

Markdown rendering is supported for files with the.md extension in the current version of Windows Notepad, which is available through the Microsoft Store and is different from the older Notepad.exe that comes with Windows. Notepad renders links interactively and tokenizes the contents of a Markdown file when it is opened. Click events on these links are handled by the vulnerable function sub_140170F60(), which applies very little filtering before passing the link value to the Windows API call ShellExecuteExW().

This filtering only removes leading and trailing backslash and forwardslash characters; it does not stop malicious protocol URIs like file:// and ms-appinstaller://, which can be used to load and run files controlled by an attacker locally or remotely without causing the usual Windows security warnings.

Depending on how the target system is configured, the attack surface may expand to include other protocols since ShellExecuteExW() calls configured system protocol handlers. Details of the Patch and the Attack Vector In order to exploit this vulnerability, an attacker must send the victim a weaponized file via email, a download link, or social engineering techniques, according to the Zero Day Initiative article. After that, the attacker needs to convince the victim to open the file in Notepad and hit the embedded malicious link with Ctrl + Click.

However, Notepad is not automatically linked to.md files. The vulnerability can be exploited by users who manually open them, which causes Markdown rendering. A proof-of-concept has already been made available to the public on GitHub.

Notepad versions 11.2508 and below are vulnerable; build 11.2510 and later provide a fix available through the Microsoft Store. Notepad.exe from the past is unaffected. Microsoft identifies user interaction as a requirement for exploitation and lists no workarounds that are currently available.

To verify complete remediation, organizations should make sure that version compliance is enforced across managed endpoints and that automatic Microsoft Store updates are enabled. X, LinkedIn, and X for daily updates on cybersecurity. To have your stories featured, get in touch with us.