CVE-2026-20841: Arbitrary Code... Note

CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad

This report details a command injection vulnerability in Microsoft Windows Notepad (CVE-2026-20841). The vulnerability stems from improper validation of links within rendered Markdown files. Exploitation involves enticing a user to open a crafted malicious Markdown file containing a harmful link. When the user clicks the link, arbitrary commands can execute within the victim's account's security context. The Notepad application tokenizes input and renders Markdown files if the file extension is ".md". The vulnerability exists in the function handling link clicks, sub_140170F60(), which calls ShellExecuteExW(). Insufficient filtering allows attackers to use "file://" and "ms-appinstaller://" protocol URIs. The vulnerability was patched by Microsoft in February 2026. The report includes detection guidance for identifying potential exploitation attempts. The guidance suggests monitoring traffic for malicious links within ".md" files using specific regular expressions. The provided patch restricts links to local files and HTTP(S) URIs, potentially leading to false positives. The report concludes user interaction is required for exploitation and recommends patching to remediate the vulnerability. The research was done by Nikolai Skliarenko and Yazhi Wang from TrendAI.