Notepad's new Markdown powers served with a side of RCE

Notepad's new Markdown powers served with a side of RCE

Briefly

"Just months after Microsoft added Markdown support to Notepad, researchers have found the feature can be abused to achieve remote code execution (RCE). Tracked as CVE-2026-20841 (8.8), the vulnerability was addressed in the Windows maker's most recent Patch Tuesday fixes. The flaw misses out on the top severity scores as it requires a little social engineering in order to get it working, but from there it's plain sailing for an attacker."

"There are ample email security protections available to organizations, yet phishing remains the most effective initial access vector for cybercriminals, and with Notepad installed as standard on most Windows PCs, it means CVE-2026-20841 could affect quite a few machines. Attacker needs only to get an unwitting user to open a Markdown file in Notepad and click a malicious link embedded inside. According to Microsoft's explanation, a hacker can exploit the vulnerability to launch "unverified protocols" that load and execute files with the user's permissions."

"Microsoft began rolling out Markdown functionality in Notepad in May 2025 as part of a WordPad-ish update before going GA. The move was divisive: while some welcomed the new feature, many thought Notepad should have been left alone. Critics argued that making Notepad more like WordPad, which Microsoft killed in 2024, betrayed the app's core ethos as a lightweight, fast, no-frills program."