Windows 11 Notepad Bug Let Markdown Links Run Files Without Warning

[harlan4096]

Microsoft has patched a high-severity security vulnerability in Windows 11 Notepad that allowed specially crafted Markdown links to launch local or remote programs - without triggering standard Windows security warnings.

The flaw tracked as CVE-2026-20841 was fixed as part of the February 2026 Patch Tuesday updates, which we release monthly.

While exploitation required a user to open a malicious Markdown file and click a link, the lack of any warning prompt made the issue especially dangerous.

What Went Wrong?

Notepad has evolved significantly since its debut in Windows 1.0. With Windows 11, Microsoft modernized the app by:

• Adding Markdown support
  
• Enabling richer formatting features
  
• Retiring WordPad as the default RTF editor
  

Markdown support allows users to create formatted text and clickable links using simple syntax, such as:

• Code:

  **Bold text**
• Code:

  [Example Link](https://example.com)

However, researchers discovered that Notepad did not properly restrict non-standard protocols inside Markdown links.

Continue Reading...