Microsoft has fixed a serious security issue in the modern Windows Notepad app that could have allowed attackers to run malicious code remotely. The vulnerability is tracked as CVE-2026-20841 and was addressed as part of the February 2026 Patch Tuesday updates.
The flaw affected the Microsoft Store version of Notepad, not the older classic Notepad.exe. According to Microsoft, the issue could be exploited over a network if a user was tricked into opening a specially crafted Markdown file with a .md extension. This makes it a high-risk bug, especially because Notepad is often seen as a safe and trusted app.
The problem was caused by improper handling of certain commands inside Markdown files. When a user opened a malicious Markdown file in Notepad and clicked on a link inside it, the app could process unsafe or unverified protocols. This allowed Notepad to fetch and execute files from a remote server without proper checks.
In simple terms, an attacker could send a harmless-looking Markdown file. Inside the file would be a link that looks normal but actually points to an attacker-controlled source. Once the link is clicked, Notepad could execute commands from that source. The malicious code would then run with the same permissions as the logged-in user. If the user had admin rights, the impact could be much worse.
Read: Best Note taking Apps for Android
Microsoft rated the vulnerability as “Important” with a CVSS score of 8.8 out of 10. While it does not spread automatically, it still poses a serious risk because it relies on user interaction, which is common in real-world attacks.
The company has released a fix through the Microsoft Store. The patched version of Notepad is build 11.2510 or newer. Users need to update the app manually or make sure automatic app updates are enabled. Microsoft has confirmed that this is a customer action required update, meaning the fix will not apply unless users install it.
Microsoft credited security researchers from Delta Obscura and an independent researcher known as “chen” for responsibly reporting the issue.
It is important to note that Apps like Notepad are no longer simple text editors. As they add support for formats like Markdown, links, and richer content, they also introduce new attack surfaces. Many users do not expect a basic tool like Notepad to be a security risk, which makes such vulnerabilities more dangerous.
On the positive side, Microsoft responded quickly and provided a clear fix. There is no public evidence yet that the flaw was actively exploited. Still, this serves as a reminder that even everyday apps need regular updates.
To stay safe, users should update Notepad from the Microsoft Store as soon as possible. It is also a good idea to avoid opening Markdown files from unknown sources and to be cautious when clicking links inside text files. Enabling automatic updates and using a good security solution can further reduce risk.
