DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20841: Death by Notepad: When a Text Editor Becomes a Remote Shell

#security #cve #cybersecurity

Death by Notepad: When a Text Editor Becomes a Remote Shell

Vulnerability ID: CVE-2026-20841
CVSS Score: 8.8
Published: 2026-02-10

In a twist of irony that would make a sysadmin cry, the most innocuous application on the Windows operating system—Notepad—has been weaponized. CVE-2026-20841 is a critical Remote Code Execution (RCE) vulnerability affecting the modern, Microsoft Store version of the Windows Notepad App. Driven by the desire to 'modernize' the experience with tabs and cloud integration, developers introduced a URI handler (notepad://) that fails to sanitize input before passing it to the system shell. This allows attackers to execute arbitrary commands on a victim's machine simply by tricking them into clicking a link, turning the humble text editor into a fully functional gateway for malware.

TL;DR

The modern Windows Notepad app (v11.x) contains a command injection flaw in its notepad:// URI handler. Attackers can craft malicious links that, when clicked, force Notepad to execute system commands (like launching ransomware) alongside opening a file. Patch immediately via the Microsoft Store.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-77 (Command Injection)
  • CVSS Score: 8.8 (High)
  • Attack Vector: Network (User Interaction Required)
  • Privileges: None (runs as logged-in user)
  • Impact: Full System Compromise (RCE)
  • Exploit Status: PoC Available / High Likelihood

Affected Systems

  • Windows 10 (with modern Notepad installed)
  • Windows 11 (21H2, 22H2, 23H2)
  • Windows Notepad App: >= 11.0.0, < 11.2510 (Fixed in: 11.2510)

Exploit Details

  • GitHub: Proof of Concept demonstrating calc.exe execution via URI handler

Mitigation Strategies

  • Update Windows Notepad App immediately via Microsoft Store
  • Block 'notepad://' URI scheme execution via Group Policy or Registry
  • Restrict child process creation for Notepad.exe using ASR rules

Remediation Steps:

  1. Open Microsoft Store application
  2. Navigate to Library
  3. Click 'Get Updates'
  4. Verify Notepad version is >= 11.2510

References

Read the full report for CVE-2026-20841 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)