Microsoft has released an important security update for Windows 11 that fixes a dangerous flaw in the built-in Notepad app, a vulnerability that could have let attackers run malicious code on affected PCs.
What Happened
The flaw, tracked as CVE-2026-20841, allowed a specially crafted Markdown (.md) file to trigger remote code execution if a user opened the file in Notepad and clicked a malicious link. Because Notepad had added support for Markdown links in recent updates, attackers could embed harmful links that launch remote files or programs if clicked — without a clear security warning.
Remote code execution bugs are among the riskiest types of software vulnerabilities because they can let hackers install malware, steal data, or take control of a system with the same permissions as the signed-in user. Notepad’s ubiquity on Windows makes it an attractive target for social engineering attacks, such as email attachments or project README files.
How Microsoft Fixed It
The issue was addressed as part of the February 2026 Patch Tuesday updates distributed through Windows Update. The update changes how Notepad handles links in Markdown files — now requiring a clear prompt before launching content that uses non-standard protocols.
This means that when a user tries to open links using protocols like file://, ms-appinstaller://, or similar, Notepad will first display a warning asking for permission, reducing the risk of attackers executing code without notice.
What Users Should Do
Windows 11 users are strongly advised to install the latest updates as soon as they’re available. Because Notepad updates can also be delivered through the Microsoft Store, most systems should receive the patch automatically.
Until the patch is applied, users should be cautious about opening Markdown files from unknown or untrusted sources and avoid clicking suspicious links inside documents.
