PoC Released for Windows Notepad Vulnerability that Enables Malicious Command Execution

Microsoft has patched a high-severity remote code execution (RCE) vulnerability in the modern Windows Notepad application, tracked as CVE-2026-20841, as part of its February 2026 Patch Tuesday release cycle.

The flaw, rooted in command injection, was originally discovered by Cristian Papa and Alasdair Gorniak of Delta Obscura and subsequently analyzed in depth by Nikolai Skliarenko and Yazhi Wang of the TrendAI Research team.

Successful exploitation allows an attacker to execute arbitrary commands in the security context of the victim’s account, simply by tricking the user into opening a specially crafted Markdown file and clicking a malicious hyperlink.

The modern Windows Notepad distributed via the Microsoft Store and distinct from the legacy Notepad.exe bundled with Windows — supports Markdown rendering for files with the .md extension. When a Markdown file is opened, Notepad tokenizes its contents and renders links interactively.

The vulnerable function, sub_140170F60(), handles click events on these links and passes the link value to the Windows API call ShellExecuteExW() after applying only minimal filtering.

That filtering merely strips leading and trailing backslash and forward-slash characters and fails to block malicious protocol URIs such as file:// and ms-appinstaller://, which can be leveraged to load and execute remote or local attacker-controlled files without triggering standard Windows security warnings.

Because ShellExecuteExW() invokes configured system protocol handlers, the attack surface may extend to additional protocols depending on the target system’s configuration.

Attack Vector and Patch Details

According to the Zero Day Initiative write-up, exploiting this vulnerability involves an attacker delivering a weaponized file to the victim through email, a download link, or social engineering tactics.

The attacker must then persuade the victim to open the file in Notepad and press Ctrl + click on the embedded malicious link.

Although .md Files are not associated with Notepad by default. Users who manually open them trigger Markdown rendering, making the vulnerability exploitable. A public proof-of-concept has already been posted on GitHub.

The vulnerability affects Notepad versions 11.2508 and earlier; the fix is delivered via the Microsoft Store in build 11.2510 and later. Legacy Notepad.exe is not impacted.

Microsoft lists no available workarounds and designates user interaction as a prerequisite to exploitation. Organizations should ensure that automatic

Microsoft Store updates are enabled and enforce version compliance across managed endpoints to confirm full remediation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.