Notepad Got AI and Almost Turned Every .md File into a Trojan. Microsoft Denies It, But the Patch Is Already Out
Arkadiy Andrienko
Microsoft has closed a dangerous "loophole" in the standard Windows 11 app that no one previously took seriously as a threat. The built-in Notepad—the very one where for decades people just jotted down notes and tweaked configs—got AI support along with a bunch of other features, and with it, a vulnerability that allows malicious code to be launched with literally one click.
The issue was identified as CVE-2026-20841 and patched in the February update. The crux of it lies in the incorrect handling of specially crafted links inside .md files. If previously Notepad was just a text field, now it's learned to recognize markup and make links clickable—and it's exactly this "clickability" that played a nasty trick.
Researchers found that if you create a file with markup where the link points not to http/https, but to file:// or, say, ms-appinstaller://, and open it in a vulnerable version of Notepad (11.2510 and older), a Ctrl+click would force the system to execute code without any warnings. The link could point to an executable file in a shared SMB folder or on a remote server, and the attacker would gain exactly the same privileges as the user themselves.
The patch came out quickly and, notably, not through an OS update but via the app store—Notepad now lives its own life and updates independently. In the latest versions, the logic has changed: when you try to follow a link with a non-standard protocol, the app pops up a dialog asking if you really want to do that. This all looks like a classic case of how adding "smart" features to an old, reliable tool opens up new attack vectors.
By the way, the very fact that the vulnerability was fixed with an update to a separate app rather than a system-wide patch is already a sign of how Microsoft is gradually moving away from monolithic Windows updates. On one hand, patches are delivered faster this way, but on the other, many users don't even know their Notepad is updating at all.
Have you checked which version of Notepad you're running and when you last opened the Microsoft Store? Or are you still just using whatever comes with the system, like always? Tell us in the comments.
-
![]()
Hackers Spent Six Months Breaching Organizations via Notepad++ Updates -
![]()
Degree Won't Save You: Microsoft Names the Professions AI Will Hit First -
![]()
Microsoft Rolls Out Major Notepad Update for Windows 11 With Full Table Support and Enhanced AI Features -
![]()
"Expired Protection": Why Your Old Microsoft PC Might Be Left Vulnerable After 2026 -
![]()
Microsoft Quietly Updates Notepad: Now It Rewrites Text with ChatGPT
