Windows Notepad Markdown Link Handling Flaw Enables Remote Code Execution
Microsoft patched a high-severity remote code execution issue in the modern Windows Notepad (Microsoft Store) app, tracked as CVE-2026-20841 (CVSS 8.8), caused by command injection (CWE-77) tied to improper neutralization of special elements used in commands. The weakness can be triggered when a user opens a booby-trapped Markdown (.md) file in Notepad and clicks an embedded malicious link; the app can be coerced into launching unverified protocols that load and execute remote content, resulting in code execution in the security context of the logged-in user (potentially full compromise if the user has admin rights).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Advisory reports public PoC for CVE-2026-20841
A February 13, 2026 advisory stated that proof-of-concept exploit code for CVE-2026-20841 was already public, raising the likelihood of real-world exploitation. The advisory reiterated that the flaw affected Microsoft Store Notepad versions 11.0.0 through before 11.2510 and urged users to update.
Microsoft says no active exploitation of the Notepad flaw is known
In its disclosure and patching information, Microsoft indicated there were no known in-the-wild exploitation cases for CVE-2026-20841 at the time of release. Multiple reports noted the attack still required user interaction and social engineering.
Notepad update adds warnings for non-HTTP(S) Markdown links
As part of the fix, Microsoft changed Notepad so clicking non-http/https links now triggers a warning instead of silently launching unverified protocols. The update was shipped via Microsoft Store in Notepad build 11.2510+.
Microsoft discloses and patches CVE-2026-20841 on Patch Tuesday
On February 10, 2026, Microsoft disclosed and fixed CVE-2026-20841, a CVSS 8.8 remote code execution flaw in the Microsoft Store version of Notepad. The issue allowed malicious Markdown links using unverified protocols to execute local or remote content in the user's security context.
Researchers coordinate disclosure of Notepad RCE flaw
Independent researchers Delta Obscura and "chen" reported a command-injection vulnerability in Windows Notepad's Markdown link handling to Microsoft. The flaw was later assigned CVE-2026-20841.
Microsoft rolls out Markdown support in Notepad
Microsoft began rolling out Markdown functionality in Notepad, introducing the feature later tied to the remote code execution issue. This product change provided the attack surface abused by CVE-2026-20841.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Windows 메모장 원격 코드 실행(RCE) 취약점 업데이트 권고(CVE-2026-20841)
blog.alyac.co.kr
Open sourceMicrosoft patches critical Notepad vulnerability allowing code execution | SC Media
scworld.com
Open sourceWindows Notepad Markdown feature opens door to RCE (CVE-2026-20841) - Help Net Security
helpnetsecurity.com
Open sourceWindows Notepad Vulnerability Allows Attackers to Execute Code Remotely
cybersecuritynews.com
Open sourceBillions at Risk: Critical Windows Notepad Flaw Allows Remote Code Execution
securityonline.info
Open sourceWindows 11 Notepad flaw let files execute silently via Markdown links
bleepingcomputer.com
Open sourceNotepad's new Markdown powers served with a side of RCE • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows Notepad Markdown Link Validation Flaw Enables Arbitrary Command Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store version) tracked as **CVE-2026-20841**, where improper validation of links in Markdown (`.md`) files can lead to arbitrary command execution in the context of the logged-in user. The flaw can be triggered when a victim opens a specially crafted Markdown file and clicks a rendered hyperlink; Notepad’s Markdown rendering/tokenization pipeline turns link text into interactive elements, and the click handler passes attacker-controlled link values onward with insufficient sanitization. Technical reporting indicates Notepad forwards the link target to `ShellExecuteExW()` with only minimal filtering (e.g., stripping leading/trailing slashes), allowing malicious protocol URIs such as `file://` and `ms-appinstaller://` to be invoked via registered protocol handlers. Exploitation is primarily social-engineering driven (email, downloads, or other delivery mechanisms) and requires user interaction (opening the file and clicking the link), but can result in execution of attacker-chosen commands or loading attacker-controlled content depending on protocol handler behavior and system configuration; the issue was disclosed via **Zero Day Initiative** and credited to researchers including Cristian Papa and Alasdair Gorniak (Delta Obscura), with additional analysis referenced by third-party reporting.
Mar 21, 2026
ThreatsDay Bulletin Highlights Microsoft Notepad Markdown Link RCE (CVE-2026-20841)
Microsoft patched a **Windows Notepad** command-injection vulnerability, **CVE-2026-20841** (CVSS **8.8**), that can lead to **remote code execution** when a user opens a Markdown file in Notepad and clicks a crafted malicious link. The issue is described as improper neutralization of special elements used in a command, enabling an attacker to trigger execution of remote or local payloads in the **security context of the logged-in user**. Public proof-of-concept examples indicate the flaw can be exercised using Markdown `file://` links pointing to executables (e.g., `file://C:/windows/system32/cmd.exe`) and other special URI handlers. The reporting appears as part of a broader weekly “ThreatsDay” roundup that also references other, separate security stories (e.g., AI prompt injection/RCE themes and other malware/exploit items), but the concrete, actionable item consistently detailed is the Notepad Markdown-link RCE and its patch. A separate “Daily Cyber News” post discusses Microsoft releasing fixes for multiple exploited flaws across widely deployed products, but it does not specifically corroborate the Notepad CVE or the Markdown-link exploitation path described in the roundup, making it contextually related to Microsoft patching activity but not the same discrete vulnerability story.
Mar 21, 2026
Windows Notepad RCE Flaw CVE-2026-20841 Draws Public PoC Releases
Microsoft disclosed **CVE-2026-20841**, a remote code execution vulnerability in the **Windows Notepad app**, and the bug was subsequently detailed by Trend Micro's Zero Day Initiative as an arbitrary code execution issue affecting Notepad. Public references describe the flaw as enabling code execution through the handling of malicious content in Notepad, elevating concern because the application is widely present across Windows environments. Within days of disclosure, multiple **proof-of-concept** repositories for `CVE-2026-20841` appeared on GitHub, including projects explicitly labeling the issue as **"Windows notepad.exe RCE"**. The rapid publication of several PoCs increases the likelihood of weaponization and lowers the barrier for attackers to test exploitation, making prompt validation of Microsoft's security update and exposure assessment a priority for defenders.
May 25, 2026