Microsoft Patches Critical RCE Flaw in Windows Notepad App
Microsoft has addressed a severe remote code execution (RCE) vulnerability in the Windows Notepad app, tracked as CVE-2026-20841, which could allow attackers to execute malicious code on targeted systems. Disclosed as part of the February 10, 2026, Patch Tuesday updates, the flaw stems from improper handling of special elements in commands (CWE-77: Command Injection) and holds a CVSS v3.1 score of 8.8, classifying it as "Important."
The vulnerability affects the modern Windows Notepad app, distributed via the Microsoft Store, rather than the legacy Notepad.exe. Exploitation requires tricking users into opening a maliciously crafted Markdown (.md) file containing a booby-trapped hyperlink. When clicked, the link triggers Notepad to process unverified protocols, fetching and executing remote files without proper sanitization. Attackers leverage custom URL schemes (e.g., mimicking trusted protocols) to inject arbitrary commands, which run under the victim’s security context potentially granting admin-level access if the user has elevated privileges.
Microsoft released a patch via the Microsoft Store (Notepad build 11.2510+) but requires users to manually update or enable auto-updates. The company credited independent researchers Delta Obscura (delta.cyberm.ca) and “chen” for coordinated disclosure.
The flaw highlights risks in everyday applications handling rich text formats like Markdown, particularly as Notepad evolves into a more feature-rich tool. While the legacy version remains unaffected, the Store version’s widespread use increases exposure. Users are advised to apply the update promptly to mitigate potential attacks.
Source: https://cybersecuritynews.com/windows-notepad-rce-vulnerability/
Microsoft TPRM report: https://www.rankiteo.com/company/Microsoft
"id": "Mic1770789153",
"linkid": "Microsoft",
"type": "Vulnerability",
"date": "2/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Users of modern Windows Notepad '
'app (Microsoft Store version)',
'industry': 'Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': 'Maliciously crafted Markdown (.md) file with booby-trapped '
'hyperlink',
'customer_advisories': 'Users should update the Notepad app via Microsoft '
'Store or enable auto-updates.',
'date_publicly_disclosed': '2026-02-10',
'date_resolved': '2026-02-10',
'description': 'Microsoft has addressed a severe remote code execution (RCE) '
'vulnerability in the Windows Notepad app, tracked as '
'CVE-2026-20841, which could allow attackers to execute '
'malicious code on targeted systems. The flaw stems from '
'improper handling of special elements in commands (CWE-77: '
'Command Injection) and requires tricking users into opening a '
'maliciously crafted Markdown (.md) file containing a '
'booby-trapped hyperlink. Exploitation could grant admin-level '
'access if the user has elevated privileges.',
'impact': {'operational_impact': 'Potential arbitrary code execution with '
'user privileges',
'systems_affected': 'Windows systems with modern Notepad app '
'(Microsoft Store version)'},
'investigation_status': 'Resolved',
'lessons_learned': 'Highlights risks in everyday applications handling rich '
'text formats like Markdown, particularly as Notepad '
'evolves into a more feature-rich tool.',
'post_incident_analysis': {'corrective_actions': 'Patch released to sanitize '
'protocol handling and '
'prevent arbitrary command '
'execution.',
'root_causes': 'Improper handling of special '
'elements in commands (CWE-77: '
'Command Injection) in the modern '
"Notepad app's Markdown hyperlink "
'processing.'},
'recommendations': 'Users are advised to apply the update promptly to '
'mitigate potential attacks.',
'references': [{'date_accessed': '2026-02-10',
'source': 'Microsoft Patch Tuesday Updates'},
{'source': 'Delta Obscura (delta.cyberm.ca)',
'url': 'https://delta.cyberm.ca'},
{'source': "Researcher 'chen'"}],
'response': {'communication_strategy': 'Public disclosure as part of Patch '
'Tuesday updates',
'containment_measures': 'Patch released via Microsoft Store '
'(Notepad build 11.2510+)',
'remediation_measures': 'Manual update or enabling auto-updates '
'for Notepad app'},
'title': 'Microsoft Patches Critical RCE Flaw in Windows Notepad App',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-20841 (CWE-77: Command Injection)'}