Overview
- Microsoft’s February Patch Tuesday update fixes CVE-2026-20841 in the Windows 11 Notepad app, with the remediation rolling out via Windows Update and the Microsoft Store.
- Rated CVSS 8.8, the issue is a command-injection flaw in Markdown rendering that could launch unverified protocols to load and run remote content.
- Exploitation requires user interaction by opening a malicious .md file in Notepad and clicking an embedded link, making the vulnerability non-wormable and reliant on social engineering.
- Any payload would run with the victim’s permissions, posing greater risk on systems where users have administrative privileges.
- Post-fix behavior now prompts before opening non-standard URI schemes such as file: or ms-appinstaller:, and Microsoft reports no evidence of in-the-wild exploitation.