CVE-2026-20841

Name of the Vulnerable Software and Affected Versions Windows Notepad versions prior to 11.2502.1.0 Windows 10 and Windows 11 versions prior to February 2026 Patch Tuesday

Description A command injection issue exists in the modern Microsoft Store version of the Windows Notepad app due to improper neutralization of special elements used in commands. The flaw is rooted in the application's Markdown rendering and URI handling. An unauthorized attacker can exploit this by tricking a user into opening a specially crafted Markdown (.md) file containing malicious links. When a user interacts with these links (e.g., via Ctrl+Click), the application fails to properly sanitize the input and launches unverified protocols (such as file://, ms-appinstaller://, or UNC paths), allowing the fetching and execution of remote files. This results in remote code execution (RCE) within the security context of the user who opened the file.

Recommendations Update to Notepad version 11.2502.1.0 or later. Deploy February 2026 Microsoft security updates. As a temporary workaround, block notepad.exe execution from network paths. As a temporary workaround, disable the notepad:// URI handler. As a temporary workaround, reassign .txt file association via Group Policy. As a temporary workaround, restrict SMB and WebDAV access.