Microsoft has made a patch High-severity security vulnerability In Windows 11 Notepad which allows specially crafted Markdown links to launch local or remote programs – Without triggering standard Windows security warnings.
Tracked as defect CVE-2026-20841 The fix was made as part of the February 2026 Patch Tuesday update, which we release monthly.
While the exploit requires the user to open a malicious Markdown file and click on a link, the lack of any warning signs made the problem particularly dangerous.
what went wrong?
Notepad has evolved significantly since its introduction in Windows 1.0. With Windows 11, Microsoft modernized the apps:
- being added markdown support
- Enabling advanced formatting features
- WordPad is being retired as the default RTF editor
Markdown support allows users to create formatted text and clickable links using simple syntax, such as:
**Bold text**[Example Link](https://example.com)
However, researchers found that Notepad did Not restricting non-standard protocols appropriately Inside markdown link.
How did the exploit work?
In vulnerable versions (11.2510 and earlier):
- Links using protocols such as
file://,ms-appinstaller://and other custom URI schemes - became clickable in markdown view
- Executables launched directly on Ctrl+click
- No Windows security warnings displayed
This meant that an attacker could:
- Create a malicious Markdown (.md) file
- Insert a link pointing to a local or remote executable
- Prompt a user to click on it
Program will run on clicking With the same permissions as the logged-in user.
In some cases, the link may point to a file hosted on a remote SMB share, expanding the potential attack surface.
What did Microsoft change?
Microsoft has now implemented stricter security measures.
Notepad will:
- display a warning dialog For any link that does not use the standard
http://Orhttps://protocol - Requires explicit user confirmation before proceeding
This ends the previous silent execution behavior.
While social engineering remains possible (users can still click “Yes”), automatic launch without warning is no longer a problem.
why does it matter
This vulnerability highlights an important lesson:
“Even simple apps can pose serious security risks when new features are added.”
Markdown support made Notepad more powerful and flexible – but it also expanded the application’s attack surface.
update status
Because Notepad updates automatically through the Microsoft Store, most Windows 11 users should receive the fix without manual action.
Still, it’s essential to keep Windows completely up-to-date, especially when vulnerabilities involve remote code action.
