Windows 11 Notepad Bug Executes Files Via Markdown Links
▼ Summary
– Microsoft fixed a high-severity remote code execution flaw (CVE-2026-20841) in Windows 11 Notepad that allowed attackers to execute code by tricking users into clicking malicious Markdown links.
– The vulnerability was a command injection flaw that let attackers launch programs or remote files without Windows displaying any security warnings to the user.
– Exploitation required a user to open a crafted Markdown file in Notepad and click a link, which would then execute code with the user’s own permissions.
– The fix, delivered in a February 2026 update, now causes Notepad to display a warning dialog when users click on non-http/https links, such as file:// or ms-appinstaller:// URIs.
– Notepad updates automatically via the Microsoft Store, minimizing the flaw’s real-world impact despite its novelty and ease of exploitation.
A recently patched security flaw in the Windows 11 Notepad application could have allowed attackers to run malicious code on a user’s system simply by having them click a link within a Markdown file. Microsoft has resolved this high-severity remote code execution vulnerability, tracked as CVE-2026-20841, with its latest security updates. The issue stemmed from the application’s modernized design, which added support for Markdown formatting and clickable links.
Notepad has been a staple of the Windows operating system since its debut, serving as a straightforward tool for editing plain text. With the phasing out of WordPad in Windows 11, Microsoft enhanced Notepad to handle rich text formatting and Markdown files. This functionality allows users to open, edit, and save files with the .md extension, where simple symbols control text styling and create hyperlinks. For instance, surrounding text with double asterisks makes it bold, and brackets followed by parentheses create a clickable web link.
The security vulnerability was an improper command injection. According to Microsoft’s advisory, an unauthorized attacker could exploit it over a network by deceiving a user into interacting with a malicious Markdown link. When a person opened a crafted file in Notepad and viewed it in Markdown preview mode, specially formed links would appear normal. Clicking such a link, however, would trigger the execution of a local or remote file without any security warning from Windows.
The exploit worked by using non-standard URI protocols like `file://` or `ms-appinstaller://` within the Markdown link. Researchers demonstrated that an attacker could create a link pointing directly to an executable file on the system or on a remote network share. If a user performed a Ctrl+click on the link in a vulnerable version of Notepad (11.2510 or earlier), the linked program would run immediately with the same permissions as the logged-in user, presenting a significant risk.
Cybersecurity experts highlighted how trivial it was to create a proof-of-concept file, drawing widespread attention to the flaw’s novelty and potential danger. The core of the problem was that Notepad failed to validate or warn users about links using protocols other than standard web addresses.
Microsoft’s fix, delivered via the Microsoft Store, now requires Notepad to display a security prompt when a user attempts to open any link that does not use the http:// or https:// protocols. This warning appears for a range of URI types, including those for local files, settings, app installers, email clients, and searches. While this adds a crucial layer of protection, some observers question why the application doesn’t simply block these non-web links outright, as users could still be socially engineered into clicking “Yes” on the prompt.
The automatic update mechanism for Notepad through the Microsoft Store means most systems should already be protected, limiting the real-world impact of this vulnerability primarily to its technical intrigue. Users are encouraged to ensure their applications are up to date to benefit from this and other security improvements.
(Source: Bleeping Computer)
