On February 10, 2026, Microsoft rectified a critical security vulnerability (CVE-2026-20841) in Windows Notepad as part of its Patch Tuesday update cycle. The flaw arose from Notepad's improper handling of special characters within Markdown files. Cyber attackers could exploit this vulnerability by deceiving users into opening harmful files and clicking on embedded links, thereby facilitating the remote execution of malicious code and complete system compromise.

This vulnerability, boasting a CVSS score of 8.8, specifically impacts the latest iteration of the Notepad application distributed via the Microsoft Store. It presents an elevated risk when users interact with .md files. Microsoft has clarified that, as of now, no instances of public exploitation have been reported. Nevertheless, the company urges users to swiftly update their systems and the Notepad application to mitigate potential threats.

It's important to note that this security incident is distinct from the prior episode involving Notepad++, where the application's update service was compromised by state-sponsored hackers. That particular breach occurred due to a compromised hosting server disseminating malicious updates, a scenario unrelated to the current Notepad vulnerability.