Microsoft has patched a high-severity security vulnerability in Windows 11 Notepad that allowed specially crafted Markdown links to launch local or remote programs - without triggering standard Windows security warnings.
The flaw tracked as CVE-2026-20841 was fixed as part of the February 2026 Patch Tuesday updates, which we release monthly.
While exploitation required a user to open a malicious Markdown file and click a link, the lack of any warning prompt made the issue especially dangerous.
What Went Wrong?
Notepad has evolved significantly since its debut in Windows 1.0. With Windows 11, Microsoft modernized the app by:
- Adding Markdown support
- Enabling richer formatting features
- Retiring WordPad as the default RTF editor
Markdown support allows users to create formatted text and clickable links using simple syntax, such as:
**Bold text**[Example Link](https://example.com)
However, researchers discovered that Notepad did not properly restrict non-standard protocols inside Markdown links.
How the Exploit Worked
In vulnerable versions (11.2510 and earlier):
- Links using protocols like
file://,ms-appinstaller://, and other custom URI schemes - Became clickable in Markdown view
- Launched executables directly when Ctrl+clicked
- Displayed no Windows security warning
This meant an attacker could:
- Create a malicious Markdown (.md) file
- Insert a link pointing to a local or remote executable
- Trick a user into clicking it
If clicked, the program would run with the same permissions as the logged-in user.
In some cases, the link could point to a file hosted on a remote SMB share, expanding the potential attack surface.
What Microsoft Changed
Microsoft has now implemented stricter safeguards.
Notepad will:
- Display a warning dialog for any link that does not use standard
http://orhttps://protocols - Require explicit user confirmation before proceeding
This eliminates the previous silent execution behavior.
While social engineering remains possible (users could still click “Yes”), the automatic launch without warning is no longer an issue.
Why This Matters
This vulnerability highlights an important lesson:
"Even simple apps can introduce serious security risks when new features are added."
Markdown support made Notepad more powerful and flexible - but it also expanded the application’s attack surface.
Update Status
Because Notepad updates automatically through the Microsoft Store, most Windows 11 users should receive the fix without manual action.
Still, keeping Windows fully updated remains essential, especially when vulnerabilities involve remote code action.
Thank you for being a Ghacks reader. The post Windows 11 Notepad Bug Let Markdown Links Run Files Without Warning appeared first on gHacks.
☞ El artículo completo original de Arthur Kay lo puedes ver aquí