CVE-2026-20841: Windows Notepad Remote Code Execution — Markdown Exploit

CVE-2026-20841 is a remote code execution vulnerability affecting the modern version of Windows Notepad distributed via the Microsoft Store. The issue stems from the improper handling of specific URI schemes within the recently added Markdown support. This flaw allows an attacker to craft a malicious text file that, when interacted with by a user, forces the application to execute dangerous commands. This turns a simple text editor into an entry point for system compromise.

The vulnerability exploits the Markdown parsing engine introduced in newer versions of Notepad. While legacy Notepad only handled plain text, the modern app parses rich elements like links. Attackers can embed a hyperlink using a custom or unverified protocol scheme (e.g., pointing to a remote script or executable). When the user clicks this link, instead of opening a web browser, Notepad passes the unsanitized input directly to the system's protocol handler. This allows the attacker to inject arguments that execute arbitrary code, effectively bypassing security warnings that usually accompany file execution.

CVSS Score: 8.8 (High) While this vulnerability requires user interaction (opening a file and clicking a link), the ubiquity of Notepad makes it a significant risk: • Remote Code Execution: Attackers can run malware, ransomware, or spyware. • User Context Compromise: The code runs with the victim's permissions, allowing access to personal files and network shares. • Social Engineering Vector: Users generally trust text files and Notepad, making them easy targets for phishing.

This vulnerability affects: • Windows Notepad (Microsoft Store App) versions prior to 11.2510 • Note: Legacy Notepad (System32\notepad.exe) is NOT affected

Microsoft has released a patch available through the Microsoft Store. Option 1: Update via Store (Mandatory) Open the Microsoft Store app, go to Library, and click "Get Updates". Ensure Windows Notepad is updated to version 11.2510 or higher. Option 2: AppLocker / EDR Policies Security administrators can temporarily block the execution of the modern Notepad app (Package family name: Microsoft.WindowsNotepad) and force users to use the legacy version until the update is deployed across the organization.

If your endpoints are running outdated Windows Store apps, you are exposed. TEPTEZ can automatically scan your infrastructure to identify vulnerable application versions, including non-system apps like Windows Notepad. Our platform provides visibility into installed Store apps and actionable remediation steps.