Microsoft fixes Notepad flaw that could allow attackers hijack your Windows PC
Microsoft said it recently fixed a security flaw in Notepad that could let an attacker download and run malicious code.
Microsoft has rolled out a security update to patch a critical vulnerability in its Notepad app. The development comes just a day after the developer of Notepad++, a popular alternative to Microsoft’s app, revealed that its infrastructure had been compromised by a Chinese threat actor.
According to the tech giant, the security flaw dubbed CVE-2026-20841 had a severity rating of 8.8/7.7.
Microsoft said that the exploit allowed an attacker to “trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.”
This means that an attacker could use the security vulnerability to create a Markdown file containing a malicious link. If a user clicked on one of these links, the attack could launch, download and run malicious code and eventually gain full access to the system.
Fixed as part of the February 2026 Patch Tuesday security updates, Microsoft recommends all users install the update. The company says the flaw had no known public exploits at the time of release.
Notepad had previously been a basic text editor, but in May last year, Microsoft rolled out a new and redesigned app that introduced support for “Markdown-style input and files for users who prefer to work directly with the lightweight markup language.”
With a security exploit affecting Notepad for the first time, many users are questioning Microsoft’s decision to give the app network access, saying that a text editor does not need to be connected to the internet all the time.
The tech giant says Notepad requires internet access if users want to use Copilot. In the last few years, users have been criticising Microsoft for stuffing its core apps like Notepad and Paint with Copilot and other AI-powered features.
Microsoft has rolled out a security update to patch a critical vulnerability in its Notepad app. The development comes just a day after the developer of Notepad++, a popular alternative to Microsoft’s app, revealed that its infrastructure had been compromised by a Chinese threat actor.
According to the tech giant, the security flaw dubbed CVE-2026-20841 had a severity rating of 8.8/7.7.
Microsoft said that the exploit allowed an attacker to “trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.”
This means that an attacker could use the security vulnerability to create a Markdown file containing a malicious link. If a user clicked on one of these links, the attack could launch, download and run malicious code and eventually gain full access to the system.
Fixed as part of the February 2026 Patch Tuesday security updates, Microsoft recommends all users install the update. The company says the flaw had no known public exploits at the time of release.
Notepad had previously been a basic text editor, but in May last year, Microsoft rolled out a new and redesigned app that introduced support for “Markdown-style input and files for users who prefer to work directly with the lightweight markup language.”
With a security exploit affecting Notepad for the first time, many users are questioning Microsoft’s decision to give the app network access, saying that a text editor does not need to be connected to the internet all the time.
The tech giant says Notepad requires internet access if users want to use Copilot. In the last few years, users have been criticising Microsoft for stuffing its core apps like Notepad and Paint with Copilot and other AI-powered features.
