Windows 11 Notepad flaw let files execute silently via Markdown links, fix now deployed

Microsoft has fixed a high-severity remote code execution vulnerability in Windows 11 Notepad that allowed attackers to execute local or remote programs by tricking users into clicking specially crafted Markdown links, without displaying any Windows security warnings. The flaw, tracked as CVE-2026-20841, was discovered by Cristian Papa, Alasdair Gorniak, and Chen, and was addressed in the February 2026 Patch Tuesday updates.