Microsoft has fixed a "remote code execution" vulnerability in Windows 11 Notepad that allowed attackers to execute local or remote programs by tricking users into clicking specially crafted Markdown links, without displaying any Windows security warnings.
With the release of Windows 1.0, Microsoft introduced Notepad, a simple, easy-to-use text editor that, over the years, became popular for quickly jotting notes, reading text files, creating to-do lists, or acting as a code editor.
For those who needed a rich text format (RTF) editor that supported different fonts, sizes, and formatting tools like bold, italics, and lists, you could use Windows Write and later WordPad.
However, with the release of Windows 11, Microsoft decided to discontinue WordPad and remove it from Windows.
Instead, Microsoft rewrote Notepad to modernize it so it could act as both a simple text editor and an RTF editor, adding Markdown support that lets you format text and insert clickable links.
Markdown support means Notepad can open, edit, and save Markdown files (.md), which are plain text files that use simple symbols to format text and represent lists or links.
For example, to bold text or create a clickable link, you would add the following markdown text:
**This is bold text** [Link to BleepingComputer](https://www.bleepingcomputer.com/)
Microsoft fixes Windows Notepad RCE flaw
As part of the February 2026 Patch Tuesday updates, Microsoft disclosed that it fixed a high-severity Notepad remote code execution flaw tracked as CVE-2026-20841.
... continue reading