Notepad's new Markdown powers served with a side of remote code execution
- Reference: 1770809463
- News link: https://www.theregister.co.uk/2026/02/11/notepad_rce_flaw/
- Source link:
Tracked as CVE-2026-20841 (8.8), the vulnerability was addressed in the Windows maker's most recent Patch Tuesday fixes.
The flaw misses out on the top severity scores as it requires a little social engineering in order to get it working, but from there it's plain sailing for an attacker.
[1]
When we say "social engineering," it's not the [2]super sophisticated stuff like the dark art practised by Scattered Spider. It's more just tricking people into opening untrusted links.
[3]
[4]
There are ample email security protections available to organizations, yet phishing remains the most effective initial access vector for cybercriminals, and with Notepad installed as standard on most Windows PCs, it means CVE-2026-20841 could affect quite a few machines.
Attacker needs only to get an unwitting user to open a Markdown file in Notepad and click a malicious link embedded inside.
[5]
According to Microsoft's [6]explanation , a hacker can exploit the vulnerability to launch "unverified protocols" that load and execute files with the user's permissions.
The Windows giant also confirmedthere are no known cases of the flaw being exploited in the wild.
Microsoft began rolling out Markdown functionality in Notepad in May 2025 as part of a WordPad-ish update before going GA.
[7]
The move was [8]divisive : while some welcomed the new feature, many thought Notepad should have been left alone.
[9]Microsoft actually does something useful, adds Sysmon to Windows
[10]Notepad++ hijacking blamed on Chinese Lotus Blossom crew behind Chrysalis backdoor
[11]Notepad will now tell you all the ways Microsoft has enshittified it
[12]Microsoft wedges tables into Notepad for some reason
Critics argued that making Notepad more like WordPad, which Microsoft killed in 2024, betrayed the app's core ethos as a lightweight, fast, no-frills program.
Then came the AI. In September, Windows Insiders were treated to AI-assisted writing, rewriting, and summarization features — provided they were [13]running a Copilot+ PC .
All of this, including Markdown support, can be toggled off in Notepad's settings, but ships as default.
While not affiliated with Microsoft, the disclosure of CVE-2026-20841 comes just days after the Notepad++ team [14]confirmed major security issues .
Earlier this month, it announced fixes and version upgrades after state-sponsored cybercrims compromised its update service as early as June, leading to targeted attacks on organizations with interests in East Asia. ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYy1tzZQTyVFmzUcgkxIdwAAAxI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYy1tzZQTyVFmzUcgkxIdwAAAxI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYy1tzZQTyVFmzUcgkxIdwAAAxI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYy1tzZQTyVFmzUcgkxIdwAAAxI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYy1tzZQTyVFmzUcgkxIdwAAAxI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/06/02/microsofts_plain_text_editor_notepad_gets_formatting/
[9] https://www.theregister.com/2026/02/04/microsoft_adds_sysmon_to_windows/
[10] https://www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/
[11] https://www.theregister.com/2026/01/22/microsoft_notepad_update/
[12] https://www.theregister.com/2025/11/24/notepad_tables_support/
[13] https://www.theregister.com/2025/09/19/microsoft_copilot_marketing_blitz/
[14] https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
[15] https://whitepapers.theregister.com/
Sheer lunacy
FreePascal/Lazarus, a TMemo object, open and save dialogs, a menu and/or a few buttons with a few lines of code to join itall together (or the equivalent in your IDE of choice) would be enough to make a basic text editor which is likely to be what most people would want.
Now we need remote processing.
Re: Sheer lunacy
I think it all went downhill after Edlin.
They just don't know when to let things be.
Markdown support in notepad is about as useful as a screen door on a submarine.
Re: They just don't know when to let things be.
But what about the flying fish?
Re: They just don't know when to let things be.
It's a tin can so it'll be sardines you have to worry about.
Re: They just don't know when to let things be.
" as useful as a screen door on a submarine. "
Which on the plus side would filter out the chunkier pieces of shit; a misfortune which Notepad has not escaped.
Ha ha ha ha ha
Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha
Fucking muppets
Re: Ha ha ha ha ha
Fucking muppets
I am sure there is a porn channel for that but not Disney+ where there is apparently a legitimate revival of the Muppet Show.
I've got an idea...
Listen guys, hear me out. We've been getting some feedback that some people, crazy people clearly, are not soooo happy with the new changes to Notepad. But look I have an idea.
We split Notepad into two programs. Wait, wait, just listen. Right, one, lets call it Notepad Classic, rips out all the new stuff and takes it back to being just a simple stupid word editor. Right, right, no listen, really that is what some people want. And then we take the second program and add in all that new stuff, plus any other great idea you guys come up with. And to differentiate it a bit more, we'll give it a new name, something between Notepad and Word... I've got it Wordpad! Yep we call that one Wordpad. And that one gets stuffed to the gills with all the cool features. Once we've done that, well we can dump the whole Classic from the name Notepad, and just have Notepad and Wordpad!
I know, I know, it's a radical idea. A bit out there. Creating two programs, but you know we have 2 separate audiences here, and one size does not always fit all. Not everyone can wear my shoes, you know what I'm saying. So 2 programs, for 2 different audiences. Crazy, right? But you know it might just work...
Re: I've got an idea...
You already have the choice. Server 2025 aka "Actual Windows Professional": Notepad unaffected, still older style.
Only a Product Manager could manage this
Feels desperately like MS is just a bunch of Product Managers now with very little developer input. Any dev would tell you if it's not broken, don't fix it. And Notepad is the perfect example of this.
Re: Only a Product Manager could manage this
Let me fix that for you:
Notepad was the perfect example of this.
the app's core ethos as a lightweight, fast, no-frills program…
This is bollocks, it was developed to showcase MFC and wasn't supposed to be shipped with the OS because it's limitations were known to developers. Even then there were other, better text editors that didn't mean you had to join the sects of either Emacs or Vi.
Re: the app's core ethos as a lightweight, fast, no-frills program…
> it was developed to showcase MFC
Yet it was shipped before MFC, by - years. Neat trick. According to Microsoft, years before they even released their first C++ compiler!
> wasn't supposed to be shipped with the OS because it's limitations were known to developers
What limitation?
Classic Notepad was a perfectly functional little editor. It did its job and nothing else. Which is why so many people regret its passing.
> Even then there were other, better text editors that didn't mean you had to join the sects of either Emacs or Vi
Yes, there were - and are - other editors with many more functions. And plenty of other small, compact, simple editors, usually on the same machines as the full fat ones. What of it? Plenty of comments here are from devs who use huge editors, full IDEs even, but still want to have Notepad around.
Re: the app's core ethos as a lightweight, fast, no-frills program…
Limitations: let's start with encodings and line-wrapping…
I can't remember the last time I saw a developer use Notepad. In fact, I don't I ever have.
"All of this [..] can be toggled off"
Nope, not the way to do it.
It should be "toggled on ".
Not that I care anyway, Notepad++ is vastly superior and does exactly what I want it to do.
I've typed out five sarcastic comments here, and backspaced over them because none of them come close to adequately expressing my derision at Microsoft for managing to even screw up Notepad, which has long been my favorite Windows app going all the way back to WfW 3.11.
There's Edit
On Windows 11 (and maybe Server 2025, I've not got one to hand to check) they've reintroduced Edit. Which for those of you older than God's dog will remember from back in the MSDOS days. It's how Notepad should be - just a simple text editor. It even supports mouse-clicks for the menus for those too chicken to use a keyboard shortcut.
Only Microsoft could put an RCE in a basic text editor
...OK, I'm sure that Vim with umpteen plugins could do the same, but those plugins are optional.
What an absolute mess of a company.
Steven R