What for decades was a virtually harmless tool has become the focus of a top-tier security alert. Windows 11 Notepad, one of the most basic programs in the system, has been affected by a serious vulnerability that could allow remote code execution on millions of computers.
The gap, categorized as CVE-2026-20841 and with a score of 8,8 out of 10 on the CVSS scaleIt took advantage of Notepad's new features to turn a simple text file into a potential attack vector. Markdown document (.md) manipulated with malicious links It was enough to compromise the device if the user clicked on the link within the application.
What exactly is the critical Notepad bug in Windows 11?
According to Microsoft Security Response Center (MSRC)The problem originated in a inadequate neutralization of special elements used in a commandIn other words, a good old-fashioned command injection. Modern Notepad is capable of interpreting links in Markdown files and launching external protocols, and it is precisely at this point that security faltered.
In practice, an attacker could send a .md file attached to a phishing emailshare it via messaging or host it on a website. If the user opened it with Windows 11 Notepad and clicked on an embedded malicious link, the application could trigger unverified protocols that would load and execute remote content within that user's security context.
This means that the malicious code was executed with the same privileges as the affected accountIf the user was working with administrator privileges in Windows, the potential impact was serious: theft of information, modification of system files, installation of additional malware, or even rendering the computer completely unusable.
Microsoft has confirmed that this is a vulnerability in Remote Code Execution (RCE) with network attack vector, low technical complexity And without the attacker needing prior access to the system. The only requirement is user interaction: opening the Markdown file and clicking on the marked link.
From minimalist editor to front door: how we got here
For years, Notepad's best protection was its very simplicity. The classic Windows version was limited to edit plain text without formatting, without clickable links or connection to other complex system components. But with Windows 11, Microsoft has decided to update it and make it something much more ambitious.
In recent times, the application has received tabs, autosave, spell check, autocorrect, full Markdown support, and above all, Copilot integration, the company's artificial intelligence assistant.
In recent times, the application has received tabs, autosave, spell check, autocorrect, full Markdown support, and above all, Copilot integration, the company's artificial intelligence assistant.
Markdown support, in particular, has been key to this story. By allowing the editor interpret links and make them interactiveThe attack surface has grown considerably. A poorly processed character or a poorly filtered command in a link can open the door to code execution that, in the classic version, simply had nowhere to run.
Technical sources indicate that the vulnerability has been present since the version 11.0.0 of the new Notepad and it has been corrected in the compilation 11.2510 and laterThat is, all users who have not updated the app since the Microsoft Store They run the risk of remaining exposed, especially in environments where Store updates are not automatic.
How the malicious Markdown file attack works
The exploitation scenario is relatively easy to imagine and, for that very reason, worrying. An attacker creates a specially designed Markdown file (.md), where it embeds one or more links that may appear harmless (for example, a supposed link to documentation or a repository).
When the user opens that file with the updated Windows 11 Notepad, the links appear clickable thanks to Markdown support. The moment the victim clicks on one of them, the application initiates a protocol without proper validationwhich can lead to the downloading and execution of remote files or the injection of commands into the system.
That code runs in the context of the account that opened the file, which means that inherits all its permissionsOn a poorly configured home computer, where an administrator account is typically used, an attacker could potentially... take full control of the PC, install ransomware, access personal documents, or pivot to other devices on the local network.
Although the main method described by Microsoft requires clicking on the link, some more alarmist interpretations have pointed to the risk that, in certain configurations, simply opening the document could trigger dangerous processes through the rendering engine. In any case, the company insists that no active exploitation or previous leaks have been detected before the patch release.
Reports published by Microsoft highlight that the impact of this vulnerability is high in confidentiality, integrity and availabilitythree of the basic pillars of cybersecurity. This is not a minor flaw, therefore, but a serious problem in an application that comes pre-installed on virtually all Windows 11 computers, both in Spain and the rest of Europe.
Microsoft's response: patches, priorities, and recommendations
After identifying the flaw, Microsoft has released the fix as part of the Patch Tuesday of February 2026, in addition to directly updating the application through the Microsoft StoreThe company has emphasized that The vulnerability was not made public before it was fixed. and that, to date, there is no evidence that it has been used in actual attacks.
The MSRC statement details that the bug was related to how Notepad invoked protocols from Markdown links, and that the patch introduces a stricter validation of those commandspreventing arbitrary instructions from being executed or remote files from being loaded without control.
The fix affects the modern version of the app distributed by the Store, No to the old classic Notepad.exeThat's why it's so important to check which version is actually being used. In corporate environments, where many organizations in Europe maintain conservative update policies, this detail is especially relevant.
At the same time, the incident has reignited the debate about whether it makes sense filling applications that were previously minimalist with advanced features, especially for the integration with assistants.
At the same time, the incident has reignited the debate about whether it makes sense filling applications that were previously minimalist with advanced features.
How to check if you are protected and what steps to take
The good news is that protecting against this flaw is relatively simple, provided that the necessary precautions are taken. a few basic precautionsThe first step is to make sure the application is up to date. version 11.2510 or higherwhich is where Microsoft has introduced the patch.
To check and upgrade from Windows 11, simply follow these very specific steps:
- Open the Microsoft Store from the Start menu.
- Go to the section Library, in the lower left corner.
- Click on “Get updates” and wait for the new versions to download.
- Verify that Notepad appears updated to the build 11.2510 or later.
In addition, the company recommends enabling the Automatic Updates both the system and the applications in the Store, something especially relevant in European companies and public administrations, where a seemingly innocuous app can coexist on devices with sensitive information.
As an additional containment measure, while confirming that the patch is installed, several cybersecurity experts suggest temporarily disable optional features from the Notepad related to connectivity and advanced text processing:
- Disable the Markdown support from the app settings.
- Disable the autocorrect and automatic spell checking.
- Limit or turn off, if possible, the Copilot integration inside the editor.
- Avoid opening files .md file of unknown origin and not clicking on links included in unexpected documents.
In a European context where remote work and the use of personal devices to connect to corporate networks are increasingly common, these kinds of recommendations are not exaggerated. A simple Markdown file received by email can, under the right circumstances, become the gateway to an entire corporate network.
This whole episode leaves one clear message: even Even the simplest applications cease to be harmless. When you add layers of AI, connectivity to external services, and advanced features, Windows 11 Notepad has evolved from a simple digital notepad into a core component of the system, with all the advantages and risks that entails. Keeping it updated, reviewing its settings, and handling files with caution are now essential steps to avoid unnecessary problems.
