A recent discovery has found a vulnerability in Microsoft’s Notepad text editor that can be exploited for remote code execution (RCE) via social engineering tactics. The flaw, CVE-2026-20841, was addressed in the latest Patch Tuesday fixes, but its potential impact remains significant due to widespread installation on Windows PCs.
To exploit the vulnerability, an attacker needs only to trick a user into opening a malicious Markdown file in Notepad and clicking a linked file. Microsoft explains that this allows hackers to launch “unverified protocols” that execute files with user permissions.
While there are no known cases of this flaw being exploited in the wild, it serves as a reminder to be cautious when using Notepad, especially if you’re running outdated software or have not enabled security features.
In May 2025, Microsoft introduced Markdown support in Notepad, which was met with mixed reactions. The app’s core ethos has been questioned by some who argue that adding AI features and Markdown functionality betrays its lightweight design.
It’s worth noting that this vulnerability is just one of several recent security issues affecting Notepad++. In June, the team confirmed state-sponsored cybercrime groups had compromised their update service, leading to targeted attacks on organizations in East Asia.
Source: https://www.theregister.com/2026/02/11/notepad_rce_flaw