Home » Posts » Microsoft's Notepad Got Pwned (They Added AI To It, So...) February 11, 2026 #security #cve #notepad #microsoft #rce #windows #CVE-2026-20841 Remember when Notepad was just… Notepad? A simple text editor nobody asked to be modernized? Yeah, Microsoft didn’t care either. They bolted on Markdown support and AI features anyway. And now we’ve got CVE-2026-20841 . Remote code execution. Via a text file. This is the kind of thing that makes you go “oh come on, really?” What actually happened with CVE-2026-20841 Someone at Microsoft thought “what if Notepad could execute commands?” and shipped it enabled by default. Attackers can now trick users into opening a malicious .md file, you click a link, and BAM, code runs with your full permissions. Full system compromise. It’s that bad. The vulnerability itself is straightforward. Notepad’s Markdown handler doesn’t validate what’s in those links before executing them. A specially made file with the right protocol prefix does the rest. Phishing a user to click becomes a full system compromise. CVSS Score: 8.8 (High) Attack Vector: Network (via file) Requires User Interaction: Yes (clicking a link) Affected Versions: Notepad 11.0.0 to 11.2509 Patch Available: Yes (build 11.2510+, released February 10, 2026) How the exploit actually works (and why it matters) The attack is stupid simple: Someone sends you a .md file. Could be “meeting-notes.md”, “requirements.txt”, whatever. You open it in Notepad because it’s just text. You see a link. “Click here for details” or something. You click it. Notepad’s Markdown handler doesn’t validate what’s actually in that link before executing it. Instead of opening a browser, it runs code. With your full user permissions. Admin account? They own your entire system. Install malware, steal credentials, ransom your files, whatever. PoC code is public . Who should actually care about this If you’re running Windows 10 or Windows 11 with the modern Notepad app from the Microsoft Store, you’re vulnerable. That’s the majority of Windows users. Doesn’t matter if you actively use Notepad or not, it’s there. Developers? Especially vulnerable since you’re likely to open random files all the time. IT administrators? This is now on your patch list. Regular Windows users? Yeah, you need to fix this too. The only people not affected: Anyone still running the ancient Notepad.exe from like Windows 7 or earlier (and honestly, why are you still on that). The real reason this happened Users literally warned Microsoft. The security community said “stop adding bloat to Notepad, you’re increasing attack surface.” Microsoft shipped it anyway. Enabled by default. This is what happens when you add complexity to simple tools. More features equals more attack surface. More attack surface equals vulnerabilities. It’s not complicated. The best part? You didn’t ask for any of this. Notepad worked fine ten years ago. It works fine now. But Microsoft needed to show they’re “innovating” so here we are. What you need to do right now Step 1: Update immediately Open the Microsoft Store (yeah, I know, but stick with me). Search for Notepad. Click “Update” if you see it, or make sure you’re on version 11.2510 or later. Can’t find it? Check your current version: Open Notepad Click the three dots (menu) Go to “About” Check the version number If it says anything less than 11.2510, you need to update. Step 2: Disable features you don’t use (seriously) Once updated, go back to that three-dot menu. Under “Settings”: Turn off Markdown preview if you don’t use it Disable AI suggestions Turn off link preview execution You wanted a text editor, not a feature-rich IDE. Act like it. Step 3: Be suspicious of .md files from unknown sources Don’t open Markdown files sent by people you don’t know. If a colleague sends you one, ask if they actually meant to. Don’t click random links in files from email or file-sharing services. Quick reference: What you need to know Detail Value CVE ID CVE-2026-20841 CVSS Score 8.8 (High) Vulnerability Type Command Injection (CWE-77) Affected App Modern Notepad app (Microsoft Store) Affected Versions 11.0.0 to 11.2509 Fixed In 11.2510+ Patch Date February 10, 2026 Active Exploitation Yes, PoC available Workaround Limited (update is required) FAQs people actually ask Q: Does this affect the old Notepad.exe? A: No. Only the modern Microsoft Store version. If you’re running legacy Windows, you’re not affected. Q: Can I get infected just by opening the file? A: No. You have to click a link inside the Markdown preview. So there’s that small mercy. Q: What if I already have the old version? A: Update. Right now. Stop reading and do it. Q: Can antivirus catch this? A: Maybe, but don’t rely on it. Patching is the actual solution. Q: Why would Microsoft ship this? A: Because they prioritized “modern features” over basic security review. Welcome to software in 2026. Why this is actually interesting CVE-2026-20841 is a solid reminder about something fundam...