Microsoft recently released a security update that fixed a serious security vulnerability in Windows Notepad. Once successfully exploited, the vulnerability could allow hackers to remotely execute malicious code and completely take over the victim's computer. This issue is different from previously discovered security incidents in Notepad++ and specifically affects the modern version of the Windows Notepad app available through the Microsoft Store, specifically its behavior when processing Markdown (.md) files.
The vulnerability, numbered CVE-2026-20841, is classified as a remote code execution (RCE) vulnerability. The root cause is that Notepad does not adequately clean or block dangerous special characters when processing specific commands. According to Microsoft's instructions in the security update guide, attackers can construct specially crafted malicious Markdown files and embed carefully disguised links in the files. Once the user opens the file using Notepad and clicks on the link, the attack chain may be triggered and a script will be launched to download and execute malicious code. If the attack process is successful, the hacker can gain full control of the target computer and then access various resources and permissions in the operating system.
In terms of risk rating, the vulnerability's CVSS v3.1 base score is 8.8, which is a "high risk" level. Microsoft also marked it as "important" in its own system. As of the time the patch was released, Microsoft said it had not detected the vulnerability being exploited publicly in the wild, but it still urged users to complete system updates as soon as possible to reduce potential risks.
This fix was included in the routine security update for Patch Tuesday in February 2026, and was officially pushed out on February 10, 2026. Microsoft recommends that users install the latest Windows updates and ensure that the Notes app obtained from the Microsoft Store is the latest version to obtain relevant security fixes. Users can also view the vulnerability entry through the Microsoft Security Portal for more detailed technical information and patch instructions.
The incident also raised questions among some users about Microsoft's decision to give Notepad network capabilities. Some users believe that Notepad, as a simple text editor, does not require continuous networking capabilities, but network access increases the potential attack surface. However, currently allowing Notepad to access the Internet is one of the prerequisites for maintaining its built-in Copilot integration function. Microsoft has recently introduced more formatting tools and AI-related features to Notepad. As for whether Copilot is necessary to appear in such a lightweight editor, there is still a lot of controversy and discussion in the user community.
learn more:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841