Microsoft plugs remote code vulnerability in Notepad app on Windows 11
Microsoft fixes a critical Notepad vulnerability in Windows 11 that could allow remote code execution via malicious Markdown files. Here are the details
 "Microsoft plugs remote code vulnerability in Notepad app on Windows 11")
Microsoft has fixed a security flaw in Notepad that could have allowed attackers to trick users into clicking harmful links inside Markdown files. The company resolved the issue in its latest patch update, rolling out a fix to block any possible exploitation. According to Microsoft, the vulnerability could have been used to remotely load and run malicious files on a victim’s computer. Although Microsoft said there is no evidence that the flaw was actively exploited.
How did the Notepad vulnerability in Windows 11 work
According to the company, the problem affected Markdown files opened in Notepad. For context, Markdown files are simple text files that use a lightweight formatting language called Markdown. They let users add basic formatting such as headings, bold text, links, lists and images using plain text symbols. If a user clicked on a specially crafted malicious link inside one of these files, it could trigger what Microsoft described as “unverified protocols”. This would allow attackers to execute remote code on the system. As per Microsoft, the vulnerability has been identified as CVE-2026-20841.
Microsoft only added support for Markdown in Notepad on Windows 11 last year. The feature allowed users to open and edit Markdown files directly in the basic text editor. However, the addition reportedly drew criticism, with some saying that Microsoft was adding unnecessary features and AI capabilities into core apps such as Notepad and Paint, contributing to concerns about bloatware in the operating system.
The company said it has no evidence that hackers exploited the flaw in real-world attacks. Still, it chose to patch the issue as part of its regular security updates. The fix ensures that Notepad no longer allows such links to launch unsafe protocols that could compromise a device.
According to a report by The Verge, this is not the first time a text editor has faced security concerns. Recently, the third-party Notepad++ app also disclosed that some users may have downloaded a malicious update linked to Chinese state-sponsored attackers.