Update Windows 11 Now: Major Notepad Flaw Fixed

Image: Microsoft

If you’re running Windows 11, it’s time to hit that update button.

Microsoft has patched a high-severity remote code execution (RCE) vulnerability in the Windows 11 Notepad app that could allow attackers to silently execute malicious files through specially crafted Markdown links, according to BleepingComputer.

The flaw, tracked as CVE-2026-20841, stems from Notepad’s relatively new Markdown support — a feature Microsoft added after discontinuing WordPad and modernizing Notepad into a more capable text and rich text editor. Markdown allows users to format text and insert clickable links using simple syntax like:

**Bold text**
[Link](https://www.link.com)

But researchers discovered that attackers could abuse this functionality by embedding malicious file:// links or special URIs such as ms-appinstaller:// inside a Markdown (.md) file. If a user opened the file in Notepad (version 11.2510 or earlier) and Ctrl+clicked the link, Windows would execute the referenced file without displaying a security warning.

Microsoft described the issue as: “Improper neutralization of special elements used in a command (‘command injection’) in Windows Notepad App allows an unauthorized attacker to execute code over a network.”

In other words, someone could trick you into opening a Markdown file and clicking a link — and just like that, code would execute under your user permissions. That means access equivalent to whatever rights your account has on the system. The vulnerability could even be exploited using remote SMB shares, making it more than just a theoretical risk.

The good news? Microsoft addressed the flaw in its February 2026 Patch Tuesday updates. Notepad now displays warning prompts when users attempt to open non-HTTP(S) links such as file:, ms-settings:, ms-appinstaller:, mailto:, and others.

While it’s still technically possible to social-engineer users into clicking “Yes,” the silent execution issue has been resolved.

It’s worth noting that this critical security fix stands in stark contrast to Microsoft’s recent Windows 11 updates, which have largely centred around AI integrations like Copilot and even animated AI companions that feel suspiciously like Clippy 2.0. This time, though, the focus is squarely on security — and that’s a welcome change.

Since Notepad updates automatically through the Microsoft Store, most users should receive the fix without needing to manually install it. Still, it’s a good reminder to ensure your Windows 11 device is fully up to date.