Overview
- Tracked as CVE-2026-20841 with a CVSS base score of 8.8, the flaw stems from command injection that let Notepad launch unverified protocols via Markdown links.
- Exploitation required a user to open a crafted .md file in Notepad and click a malicious link, enabling execution with the victim’s privileges and raising risk for admin accounts.
- The fix shipped in the February 2026 Patch Tuesday and is being delivered through the Microsoft Store, with affected releases identified as Notepad versions earlier than 11.2510.
- Updated Notepad now shows a “This link may be unsafe” prompt for non‑http(s) URIs such as file: and ms-appinstaller:, reducing but not eliminating social‑engineering risk.
- Microsoft credited researchers Cristian Papa, Alasdair Gorniak, and a finder identified as Chen, and advises users to install updates and avoid untrusted Markdown files.