Microsoft has fixed a critical vulnerability affecting Markdown files in Notepad. In Tuesday’s patch notes, Microsoft says a bad actor could perform a remote code execution attack by tricking users into “clicking on a malicious link inside a Markdown file opened in Notepad,” as it previously reported. Registry.
Clicking on the link “launches unauthenticated protocols,” allowing attackers to remotely load and execute malicious files on the victim’s computer, according to the patch notes. Microsoft says there is no evidence of attackers exploiting the Notepad vulnerability (CVE-2026-20841) in the wild, but it released a fix for the bug in its Tuesday patch.
Microsoft originally added support for Markdown, a plain text formatting language, to Notepad in Windows 11 last May. The move fueled criticism that Microsoft is filling its operating system with bloatware, including by stuffing new features and AI capabilities into apps like Notepad and Paint.
Notepad isn’t the only text editor to face security issues recently, as third-party Notepad++ has revealed that some users may have downloaded a malicious update linked to Chinese state-sponsored attackers.