Microsoft adds and fixes remote code execution vulnerability in Notepad

Posted on 2026-02-11 by pappp

Source: OSNews

Article note: ... Y'all. The shovelware to sell services and coerce user behavior to hit metrics, promotion driven development bloat and creep, and general not giving a fuck slopcoding landed an RCE in an automatic update to a 40 year old text editor in the default system image. Windows as a platform was closer to "done" in 2010 than it has been since. The structural incentive that commercial software can never be done is a huge problem that keeps computing tools perpetually immature.

What happens when you slopcode a bunch of bloat to your basic text editor? Well, you add a remote code execution vulnerability to notepad.exe.

Improper neutralization of special elements used in a command (‘command injection’) in Windows Notepad App allows an unauthorized attacker to execute code over a network.

[…]

An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.

↫ CVE-2026-20841

I don’t know how many more obvious examples one needs to understand that Microsoft simply does not care, in any way, shape, or form, about Windows. A lot of people seem very hesitant to accept that with even LinkedIn generating more revenue for Microsoft than Windows, the writing is on the wall.

Anyway, the fix has been released through the Microsoft Store.

This entry was posted in News. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *