Microsoft Fixes Windows 11 Bug That Let Attackers Run Remote Code in Notepad

Microsoft has fixed a major security flaw in the Windows 11 version of Notepad. Microsoft introduced Markdown support in May 2025, inadvertently enabling attackers to exploit Notepad to run malicious code remotely and load and execute files on a target’s PC. Since then, Microsoft has identified the flaw as a CVSS score of 8.8 on a scale of 0 to 10, indicating a high risk that requires immediate attention. The fix was introduced in its Patch Tuesday updates on Feb. 10.
The vulnerability comes from the way Notepad handles Markdown hyperlinks. Attackers craft malicious .md files with embedded links that trigger unverified protocol handlers when users click them, leading to code execution in the logged-in user’s context, Threat Landscape Blog explains.
Researchers discovered that the issue affects Notepad versions 11.0.0 through 11.2509. Though Microsoft doesn’t know of any real-world cases where the flaw was exploited, it recommends that users update Notepad to build 11.2510 or later via the Microsoft Store or Windows Update. Security teams now monitor Notepad to see if it starts apps like Command Prompt or PowerShell, and the app blocks execution of unknown Markdown (.md) files. Notepad also uses Windows security rules (AppLocker or WDAC) to limit what can run, which cuts the risk of an attack.
© 2001-2026 Ziff Davis, LLC., a Ziff Davis company. All Rights Reserved.
ExtremeTech is a federally registered trademark of Ziff Davis, LLC and may not be used by third parties without explicit permission. The display of third-party trademarks and trade names on this site does not necessarily indicate any affiliation or the endorsement of ExtremeTech. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.

source