Notepad's new Markdown powers served with a side of remote code execution

Smug faces across all those who opposed the WordPad-ification of Microsoft's humble text editor

by · The Register

Just months after Microsoft added Markdown support to Notepad, researchers have found the feature can be abused to achieve remote code execution (RCE).

Tracked as CVE-2026-20841 (8.8), the vulnerability was addressed in the Windows maker's most recent Patch Tuesday fixes.

The flaw misses out on the top severity scores as it requires a little social engineering in order to get it working, but from there it's plain sailing for an attacker.

When we say "social engineering," it's not the super sophisticated stuff like the dark art practised by Scattered Spider. It's more just tricking people into opening untrusted links.

There are ample email security protections available to organizations, yet phishing remains the most effective initial access vector for cybercriminals, and with Notepad installed as standard on most Windows PCs, it means CVE-2026-20841 could affect quite a few machines.

Attacker needs only to get an unwitting user to open a Markdown file in Notepad and click a malicious link embedded inside.

According to Microsoft's explanation, a hacker can exploit the vulnerability to launch "unverified protocols" that load and execute files with the user's permissions.

The Windows giant also confirmedthere are no known cases of the flaw being exploited in the wild.

Microsoft began rolling out Markdown functionality in Notepad in May 2025 as part of a WordPad-ish update before going GA.

The move was divisive: while some welcomed the new feature, many thought Notepad should have been left alone.

Critics argued that making Notepad more like WordPad, which Microsoft killed in 2024, betrayed the app's core ethos as a lightweight, fast, no-frills program.

Then came the AI. In September, Windows Insiders were treated to AI-assisted writing, rewriting, and summarization features — provided they were running a Copilot+ PC.

All of this, including Markdown support, can be toggled off in Notepad's settings, but ships as default.

While not affiliated with Microsoft, the disclosure of CVE-2026-20841 comes just days after the Notepad++ team confirmed major security issues.

Earlier this month, it announced fixes and version upgrades after state-sponsored cybercrims compromised its update service as early as June, leading to targeted attacks on organizations with interests in East Asia. ®

Microsoft actually does something useful, adds Sysmon to Windows: After years of bolting AI onto everything, Redmond remembers admins existRichard Speed, 04 Feb 2026Notepad++ hijacking blamed on Chinese Lotus Blossom crew behind Chrysalis backdoor: The group targets telecoms, critical infrastructure - all the usual high-value orgsJessica Lyons, 02 Feb 2026Notepad will now tell you all the ways Microsoft has enshittified it: Veteran text editor gets more AI enhancements while Paint will be able to generate coloring booksRichard Speed, 22 Jan 2026Microsoft wedges tables into Notepad for some reason: WordPad died for this?Richard Speed, 24 Nov 2025