Unwanted AI upgrade to Windows Notepad created a serious security flaw
Thanks, Microsoft
by Kishalaya Kundu · TechSpotServing tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
The big picture: Microsoft released its latest Patch Tuesday update this week with 59 hotfixes across Windows, Microsoft Office, Azure, and core system components. The update includes patches for six security flaws that were being actively exploited in the wild, as well as fixes for three publicly disclosed zero-day vulnerabilities.
According to Microsoft's release notes, the update fixes 25 elevation of privilege flaws, 12 remote code execution vulnerabilities, three denial of service vulnerabilities, five security feature bypass exploits, six information disclosure bugs, and seven spoofing vulnerabilities. Six of the vulnerabilities were rated "Critical," while the rest were marked as "Severe."
One of the first-party Microsoft apps that received a hotfix this week is Notepad, which was recently updated with a range of AI features. Tracked as CVE-2026-20841, the remote code execution vulnerability exploited the improper neutralization of special elements used in a command, enabling malicious actors to execute arbitrary, unauthorized code on the host machine over a network.
According to Microsoft, attackers could exploit the command injection vulnerability by tricking users into clicking a malicious link inside a Markdown file opened in Notepad, causing the program to launch unverified protocols that could potentially load and execute malware-infested remote files, giving the attacker the same permissions as the user.
The vulnerability, rated "Important," was not publicly disclosed before being patched, and there is no known evidence of active exploitation. However, Microsoft recommends that users download and install the hotfix as soon as possible to prevent malicious actors from exploiting it on client devices.
// Related Stories
- Xbox and Windows teams are working with OEMs on a possible 2027 console launch
- Notepad++ users urged to update immediately after hackers hijack the app's updater
The discovery of the remote code execution zero-day in Notepad has reignited debate on whether every Windows app needs AI features. Users and cybersecurity experts are weighing in on the issue on social media, and many of them seem to be of the opinion that the unwanted AI infusion is slowing down Notepad. Others question why a text editor even needs network connectivity.
Apart from Notepad, other built-in Windows apps that have received the AI treatment include Paint, Photos, Snipping Tool, etc. While some of the AI features, like the generative erase and object removal tools on the Photos app, have received a largely positive response, users have been less kind to many of the other AI updates that they believe add unnecessary bloat, slowing down performance and affecting productivity.