Microsoft fixed a vulnerability in Notepad that allowed malicious code execution on Windows 11

Vulnerability in Windows 11 Notepad: Microsoft Responds Quickly

Microsoft discovered a vulnerability in the Notepad application for Windows 11 that allowed attackers to run malicious code via a simple link inside a document.

In response, the company released a fix as part of its monthly “Update Tuesday” – the February 10 update package.

How the Vulnerability Works
- Attack scenario: a user opens a specially crafted Markdown (.md) file.
- Inside the file is a hyperlink that the user clicks.
- When following the link, the system automatically launches unchecked network protocols and downloads an executable from a remote server without user confirmation.

Thus, an attacker can execute arbitrary code on the victim’s computer.

Technical Details
Parameter Value
CVE‑ID CVE-2026-20841
Fix Included in the update package released February 10

Microsoft has no evidence of real-world exploitation of this vulnerability in cyberattacks.

Context
In May last year, Microsoft added Markdown support to Notepad. This decision drew criticism: users and experts noted that the app became “overloaded” with redundant functionality and AI‑based tool integration, turning a simple text editor into more complex software.

Conclusion:

Microsoft promptly addressed the potential threat in Notepad, but the question of whether expanding the capabilities of this basic application is justified remains open.