Microsoft released a security update addressing a serious vulnerability in Notepad. The flaw, not to be confused with a security issue recently found in Notepad++, could allow attackers to execute malicious code on a victim’s computer remotely.
The bug (tracked as CVE-2026-20841) is a remote code execution (RCE) flaw in Windows Notepad. It happens because the app doesn"t properly clean up or block dangerous special characters in certain commands. The flaw affects the modern Windows Notepad app from the Microsoft Store, particularly when handling Markdown (.md) files.
According to Microsoft’s Security Update Guide, an attacker could exploit the vulnerability and create a malicious Markdown file containing specially crafted links. If a user opens the file in Notepad and clicks one of the links, a script could launch, download, and execute malicious code. If the process was successful, the attacker could gain full control of the victim"s computer and all associated permissions.
The vulnerability carries a CVSS v3.1 base score of 8.8 (high severity), with Microsoft"s maximum severity rating listed as Important. Microsoft reports no known public exploits at the time of the patch release.
Microsoft patched this vulnerability as part of the February 2026 Patch Tuesday security updates, released on February 10, 2026. It’s recommended for users to install the latest Windows updates and keep the Notepad app up to date.
The discovery of this vulnerability prompted some users to question Microsoft’s decision to give network functionality to Notepad. Users argue that a simple text editor doesn’t need to be connected to the internet all the time. However, allowing Notepad to access the internet is mandatory for keeping the integration of Copilot in the text editor functional. Still, whether Copilot is necessary in Notepad is up for another debate.
You can check the full patch notes on Microsoft’s security page.