PoC Released for Windows Notepad CVE-2026-20841 Enabling Malicious Command Execution
3 min. read 
Published on
Microsoft patched a high-severity remote code execution flaw in modern Windows Notepad. The vulnerability, tracked as CVE-2026-20841, hit during February 2026 Patch Tuesday. Attackers trick users into opening crafted Markdown files. A single click on a malicious link runs arbitrary commands with user privileges.
The modern Notepad app from Microsoft Store handles .md files with Markdown rendering. This feature makes links clickable. The bug lives in link click handling. A weak filter passes data to ShellExecuteExW API. Malicious protocols like file:// slip through. No standard warnings appear.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Researchers Cristian Papa and Alasdair Gorniak from Delta Obscura found it first. Nikolai Skliarenko and Yazhi Wang from TrendAI analyzed deeply. A public proof-of-concept now lives on GitHub. Attackers can deliver files via email or downloads. Users must manually open in Notepad and Ctrl+click the link.
Legacy Notepad.exe stays safe. Only Store version 11.2508 and earlier suffer. Version 11.2510 fixes it via auto-update. No workarounds exist. User interaction required keeps CVSS at 8.8 high.
Affected Versions Table
| Notepad Type | Versions Affected | Fixed Version |
|---|---|---|
| Modern (Store) | โค 11.2508 | 11.2510+ |
| Legacy (Win32) | All | Not affected |
Check version via Help > About in Notepad.
Attack Chain Breakdown
| Step | Action | Requirement |
|---|---|---|
| Delivery | Email/phishing with .md file | Social engineering |
| Open File | User selects Open with > Notepad | Manual choice |
| Trigger Exploit | Ctrl+click malicious link | User interaction |
| Execution | ShellExecuteExW runs payload | User privileges |
Protocols abused: file://, ms-appinstaller://, others per system handlers.
Technical Root Cause
Notepad’s sub_140170F60() function processes links. It strips only leading/trailing slashes. Backslashes convert to forward slashes before API call. Crafted URIs invoke handlers without validation.
Example PoC link:file://C:/Windows/System32/calc.exe
Markdown renders normally until clicked.
Detection Signatures
Monitor these:
- Notepad spawning cmd.exe, powershell.exe unexpectedly.
- Network connections from notepad.exe.
- .md files from unknown sources opened.
Sigma rule snippet:
title: Notepad RCE via Markdown Link
parent: Atomic Red Team
conditions:
Image|endswith: '\notepad.exe' and ParentImage|endswith: '\notepad.exe'
Mitigation Steps
- Enable Microsoft Store auto-updates.
- Block .md files from email attachments via mail gateway.
- Deploy AppLocker/WDAC restricting Notepad child processes.
- Audit Notepad versions across endpoints.
- Train users: Never open unknown .md files in Notepad.
Intune policy pushes Store updates fleet-wide.
Risk by Sector
Universal Windows app means all hit. Phishing-heavy sectors lead:
- Government and public admin
- Financial services
- Healthcare
- Tech and education
Admin users face full system compromise.
Patch Verification
Post-update test: Open safe .md with non-http link. Notepad should warn or block. Vulnerable versions execute silently.
FAQ
User opens .md file manually and Ctrl+clicks malicious Markdown link.
No. Only modern Microsoft Store Notepad affected.
GitHub repository demonstrates safe reproduction.
Notepad 11.2510 and later via Microsoft Store.
No. Requires user interaction after file open.
Cristian Papa, Alasdair Gorniak (Delta Obscura); analyzed by TrendAI researchers.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages