Windows Notepad RCE Flaw CVE-2026-20841 Draws Public PoC Releases
Microsoft disclosed CVE-2026-20841, a remote code execution vulnerability in the Windows Notepad app, and the bug was subsequently detailed by Trend Micro's Zero Day Initiative as an arbitrary code execution issue affecting Notepad. Public references describe the flaw as enabling code execution through the handling of malicious content in Notepad, elevating concern because the application is widely present across Windows environments.
Within days of disclosure, multiple proof-of-concept repositories for CVE-2026-20841 appeared on GitHub, including projects explicitly labeling the issue as "Windows notepad.exe RCE". The rapid publication of several PoCs increases the likelihood of weaponization and lowers the barrier for attackers to test exploitation, making prompt validation of Microsoft's security update and exposure assessment a priority for defenders.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
ZDI publishes technical analysis of CVE-2026-20841
The Zero Day Initiative published a blog post detailing CVE-2026-20841 as an arbitrary code execution vulnerability in Windows Notepad. This added public technical context beyond the initial vendor advisory.
Public PoC repositories for CVE-2026-20841 appear on GitHub
Multiple GitHub repositories were created or published with proof-of-concept material for CVE-2026-20841, including references describing it as a Windows notepad.exe RCE issue. The repositories indicate public exploit details became broadly available shortly after disclosure.
Microsoft discloses CVE-2026-20841 in Windows Notepad
Microsoft published CVE-2026-20841 in its Security Update Guide as a Windows Notepad App remote code execution vulnerability. This marks the public vendor disclosure of the issue.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Zero Day Initiative - CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad
zerodayinitiative.com
Open sourceGitHub - atiilla/CVE-2026-20841 · GitHub
github.com
Open sourceGitHub - dogukankurnaz/CVE-2026-20841-PoC: CVE-2026-20841 · GitHub
github.com
Open sourceGitHub - BTtea/CVE-2026-20841-PoC: PoC · GitHub
github.com
Open sourceGitHub - BTtea/CVE-2026-20841-PoC: PoC · GitHub
github.com
Open sourceGitHub - RajaUzairAbdullah/CVE-2026-20841: CVE-2026-20841 - Windows notepad.exe RCE · GitHub
github.com
Open sourceCVE-2026-20841 - Security Update Guide - Microsoft - Windows Notepad App Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ThreatsDay Bulletin Highlights Microsoft Notepad Markdown Link RCE (CVE-2026-20841)
Microsoft patched a **Windows Notepad** command-injection vulnerability, **CVE-2026-20841** (CVSS **8.8**), that can lead to **remote code execution** when a user opens a Markdown file in Notepad and clicks a crafted malicious link. The issue is described as improper neutralization of special elements used in a command, enabling an attacker to trigger execution of remote or local payloads in the **security context of the logged-in user**. Public proof-of-concept examples indicate the flaw can be exercised using Markdown `file://` links pointing to executables (e.g., `file://C:/windows/system32/cmd.exe`) and other special URI handlers. The reporting appears as part of a broader weekly “ThreatsDay” roundup that also references other, separate security stories (e.g., AI prompt injection/RCE themes and other malware/exploit items), but the concrete, actionable item consistently detailed is the Notepad Markdown-link RCE and its patch. A separate “Daily Cyber News” post discusses Microsoft releasing fixes for multiple exploited flaws across widely deployed products, but it does not specifically corroborate the Notepad CVE or the Markdown-link exploitation path described in the roundup, making it contextually related to Microsoft patching activity but not the same discrete vulnerability story.
Mar 21, 2026
Windows Notepad Markdown Link Handling Flaw Enables Remote Code Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store) app, tracked as **CVE-2026-20841** (CVSS 8.8), caused by **command injection** (`CWE-77`) tied to improper neutralization of special elements used in commands. The weakness can be triggered when a user opens a booby-trapped **Markdown (`.md`)** file in Notepad and clicks an embedded malicious link; the app can be coerced into launching **unverified protocols** that load and execute remote content, resulting in code execution in the **security context of the logged-in user** (potentially full compromise if the user has admin rights).
Apr 11, 2026
Windows Notepad Markdown Link Validation Flaw Enables Arbitrary Command Execution
Microsoft patched a high-severity **remote code execution** issue in the modern *Windows Notepad* (Microsoft Store version) tracked as **CVE-2026-20841**, where improper validation of links in Markdown (`.md`) files can lead to arbitrary command execution in the context of the logged-in user. The flaw can be triggered when a victim opens a specially crafted Markdown file and clicks a rendered hyperlink; Notepad’s Markdown rendering/tokenization pipeline turns link text into interactive elements, and the click handler passes attacker-controlled link values onward with insufficient sanitization. Technical reporting indicates Notepad forwards the link target to `ShellExecuteExW()` with only minimal filtering (e.g., stripping leading/trailing slashes), allowing malicious protocol URIs such as `file://` and `ms-appinstaller://` to be invoked via registered protocol handlers. Exploitation is primarily social-engineering driven (email, downloads, or other delivery mechanisms) and requires user interaction (opening the file and clicking the link), but can result in execution of attacker-chosen commands or loading attacker-controlled content depending on protocol handler behavior and system configuration; the issue was disclosed via **Zero Day Initiative** and credited to researchers including Cristian Papa and Alasdair Gorniak (Delta Obscura), with additional analysis referenced by third-party reporting.
Mar 21, 2026