A high-severity remote code execution (RCE) vulnerability in Microsoft’s modern Windows Notepad application has been patched as part of the February 2026 Patch Tuesday release—but security researchers have already published a working proof-of-concept exploit on GitHub, raising concerns about active exploitation in the wild.
The Vulnerability: Command Injection via Markdown Rendering
Tracked as CVE-2026-20841, the flaw resides in how the modern Windows Notepad (distributed via Microsoft Store) handles Markdown files. When a user opens a .md file, Notepad renders links interactively—but the vulnerable function sub_140170F60() passes link values directly to ShellExecuteExW() with minimal filtering.
The filtering mechanism only strips leading and trailing slashes, failing to block dangerous protocol URIs such as:
file://ms-appinstaller://
This allows attackers to craft malicious hyperlinks that execute arbitrary commands in the victim’s security context—without triggering standard Windows security warnings.
Attack Vector
According to the Zero Day Initiative advisory, successful exploitation requires:
- Attacker delivers a weaponized
.mdfile via email, download link, or social engineering - Victim opens the file in Notepad
- Victim presses Ctrl + click on the embedded malicious link
While user interaction is required, the simplicity of the attack chain—combined with the ubiquity of Markdown files in developer workflows—makes this vulnerability particularly concerning for enterprise environments.
Public Proof-of-Concept Available
Security researchers Cristian Papa and Alasdair Gorniak of Delta Obscura originally discovered the flaw, with additional analysis provided by Nikolai Skliarenko and Yazhi Wang of TrendAI Research. A proof-of-concept exploit has been published on GitHub, lowering the barrier for exploitation.
Affected Versions and Remediation
| Status | Version |
|---|---|
| Vulnerable | Notepad 11.2508 and earlier |
| Patched | Notepad 11.2510 and later |
Important: This vulnerability affects only the modern Microsoft Store version of Notepad—not the legacy Notepad.exe bundled with Windows.
Recommended Actions
- Enable automatic Microsoft Store updates across all managed endpoints
- Verify Notepad version compliance—ensure all systems are running build 11.2510 or later
- User awareness training—remind users to exercise caution when opening
.mdfiles from untrusted sources - Monitor for exploitation attempts—watch for suspicious
ShellExecuteExW()calls originating from Notepad processes
Microsoft has not provided any workarounds, making patching the only remediation path.
Why This Matters
The release of a public PoC within days of patch availability creates a critical window where unpatched systems remain vulnerable to exploitation. Organizations with slow patch cycles or manual update processes are at elevated risk. The targeting of a trusted, widely-used application like Notepad makes this an attractive vector for phishing campaigns and targeted attacks.
Source: Cyber Security News
