Microsoft patched a serious security hole in Windows Notepad this week that could allow attackers to remotely execute malicious code on victims' machines simply by convincing them to click a link inside a Markdown file—transforming one of Windows' most benign applications into a potential attack vector.
The vulnerability, tracked as CVE-2026-20841, earned a CVSS severity score of 8.8 and affects the Windows Notepad app's handling of Markdown files. Security researcher Delta Obscura, who discovered the flaw, found that attackers could craft specially designed Markdown documents containing malicious links that, when clicked, trigger Notepad to launch unverified protocols.
"An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files," Microsoft explained in its security advisory released February 10.
The attack works because of command injection weaknesses in how Notepad processes certain elements within Markdown files. When a victim opens a weaponised Markdown file and clicks an embedded link, Notepad executes the attacker's code with the same permissions as the logged-in user—potentially granting full system access if the victim has administrative privileges.
According to Cisco Talos researchers, the flaw represents a concerning expansion of Windows' attack surface given Notepad's ubiquity across Windows installations. While Microsoft currently assesses exploitation as "less likely" with no active attacks detected, the low attack complexity and network-based vector make it an attractive target for phishing campaigns.
Patch Tuesday's Alarming Zero-Day Count
The Notepad vulnerability emerges as part of Microsoft's February 2026 Patch Tuesday, which addressed 58 security flaws—an update notable for patching an alarming six actively exploited zero-day vulnerabilities, three of which were publicly disclosed before fixes became available.
The complete list of zero-day vulnerabilities Microsoft patched this month includes:
- CVE-2026-21510 (CVSS 7.5) - Windows SmartScreen and Shell security bypass allowing attackers to evade warnings through crafted malicious links or shortcuts
- CVE-2026-21513 (CVSS 8.8) - Internet Explorer/MSHTML security control bypass enabling code execution via malicious HTML pages or LNK files
- CVE-2026-21514 - Microsoft Word security feature bypass that circumvents OLE mitigations, requiring users to open malicious Office files
- CVE-2026-21519 (CVSS 7.8) - Desktop Window Manager elevation of privilege vulnerability, granting attackers SYSTEM-level access
- CVE-2026-21525 (CVSS 6.5) - Windows Remote Access Connection Manager denial-of-service flaw affecting VPN connections
- CVE-2026-21533 (CVSS 8.8) - Windows Remote Desktop Services privilege escalation, allowing attackers to gain SYSTEM privileges
Security researchers from Google Threat Intelligence Group, Microsoft's internal teams, CrowdStrike, and Acros Security contributed to discovering these flaws, which were exploited in targeted attacks before patches became available.
The February update also addresses five Critical-rated vulnerabilities and begins phasing out expiring 2011 Secure Boot certificates set to expire in June 2026. Windows users should install updates KB5077181 (Windows 11) or KB5075912 (Windows 10) immediately through Windows Update.
For organisations, security teams should prioritise deploying these patches across all Windows endpoints and educate users about the risks of opening Markdown files, Office documents, or clicking links from untrusted sources—underscoring that even the simplest applications can become attack vectors.