The flaw, tracked as CVE-2026-20841, was addressed in Microsoft’s February 10, 2026 security updates and is rated 8.8 (Important) under the CVSS scoring system.
The underlying weakness is a command injection issue, where specially crafted input can be interpreted as executable instructions rather than treated as plain text.
How the exploit chain works
Unlike older Notepad-era threats that relied on separate scripts or loaders, this vulnerability targets the modern app’s richer handling of content—specifically Markdown (.md) files that can include clickable links.
In the attack scenario described by researchers, an adversary prepares a malicious Markdown document containing a hyperlink designed to trigger Notepad into handling an untrusted or unexpected protocol.
If the user clicks the link, Notepad can be pushed into fetching content from an attacker-controlled location and processing it in a way that enables arbitrary command execution.
In newsroom terms: the “weapon” is a text file, the “delivery” can be as simple as email or a download link, and the “moment of compromise” is the click.
What attackers gain
If successfully exploited, the payload runs under the permissions of the logged-in user. That means the attacker inherits whatever access that user has—files, folders, network shares, internal tools—and in environments where users have elevated privileges, the impact can escalate quickly.
Even where admin rights aren’t present, remote code execution at the user level is often enough to:
- steal data,
- install additional malware,
- move laterally inside an organisation, or
- harvest credentials for a follow-on compromise.
Who is affected
This issue impacts the modern Notepad app distributed via the Microsoft Store, not the legacy Notepad.exe most people remember from older Windows builds.
The distinction matters because Store apps can fall out of date if automatic updates are disabled or if enterprise environments don’t enforce app version compliance.
The fix is being distributed through the Microsoft Store as an updated Notepad release (build 11.2510 and later), alongside release notes and a dedicated security advisory.
Because it’s delivered as an app update, users need to install it via the Store or ensure automatic updates are enabled — Microsoft lists this as customer action required.
The company credited independent researchers Delta Obscura and “chen” for responsible, coordinated disclosure.
The incident is also a reminder that even “everyday” utilities can become meaningful attack surfaces once they begin handling richer formats such as Markdown.
While the legacy Notepad.exe is not impacted, the modern Store-based Notepad’s broad adoption increases the potential exposure window for unpatched systems.
