Share
## https://sploitus.com/exploit?id=19A8CE51-BEE6-56F6-87FF-6C3579DBFC5C
# CVE-2026-20841
*This content corresponds to a part of what is provided through the Monthly Report for PatchPoint subscribers.

## Overview

Microsoft disclosed a [patch for an RCE vulnerability in Notepad in February 2026](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841). The vulnerability is a Command Injection vulnerability that occurs in Notepad, which is triggered when a link is clicked together with the Control button in Windows Notepad's markdown rendering.
The vulnerability can be explained simply. When accessing a link via Control Click in Markdown, there is no filtering on the URI scheme, so the handler application for that protocol is executed and no warning dialog appears for this. The affected scope of the vulnerability is as follows.
- affected from **11.0.0** before **11.2510** (Ref [Link](https://vulners.com/cve/CVE-2026-20841))

The already patched version and the unpatched version can be checked as follows.





MSRC's FAQ explains as follows.
```
Q. How could an attacker exploit this vulnerability?
A. An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.

Q. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?
A. The malicious code would execute in the security context of the user who opened the Markdown file, giving the attacker the same permissions as that user.
```

The above content has possible scenarios and impossible scenarios. To state the conclusion first, it is not easy in a "normal situation".

## PoC







## Detail

To state the conclusion first, an additional vulnerability is needed for the attack to succeed, making it an inefficient attack vector. This is because finding an environment that requires user interaction including a limited version + Download -> Execute -> Markdown View -> Control+Click, and then chaining yet another vulnerability to attack, is very inefficient.

Below is a detailed explanation of what was said about it being difficult in a normal situation. Generally, when we say RCE, there can be issues where code is executed remotely when a victim downloads a file and executes it. Generally, what becomes a problem at this point is MoTW (Mark of the Web).
When downloaded from the internet, if you check using the `dir /r` command as follows, the MoTW setting (ZoneID=3) is registered through `ADS`.








If MoTW is set like this, a window for user interaction corresponding to a kind of security warning message will appear as follows.





If you click the warning dialog, it does execute as follows.





Then, for this, a method to bypass MoTW must be considered. Since this vulnerability is not an LPE, it is created with the same privileges, and if so, an attack payload crafted in a local environment would be meaningless.

For bypassing MoTW, there are several methods. Commonly used methods are WebDAV and the method using SMB through UNC Path.

---

A method that is possible but difficult is using a native scheme like the Follina vulnerability. The most basic ms-* is a good method. (However, I believe that ms-* vulnerabilities can certainly work in a more useful way.) Since Teams is also installed by default these days, the msteams: scheme also works, and the odopen scheme for OneDrive also works.





As shown above, if you execute ms-mmsys, it operates according to the method registered in the registry without any separate authentication dialog.





Please keep in mind that this means it is possible, but since it is actually in the territory of a new vulnerability, only the methodology is presented.

---


If the user configures it, there can be yet another scenario. It is a method through HTML with ActiveX/VBScript. You can use the "IE.HTTP:" scheme, but the problem is that IE is not set as the default, which is a big problem. ๐Ÿ˜‚ A separate setting must be configured to redirect to IE, and ActiveX must also be set to work in IE. ๐Ÿ˜





This is because ActiveX does not work in Edge as shown above. In conclusion, it is very limited.


Similarly, these days when you install apps, various schemes become available. For example, for WinSCP users the sftp: scheme would be applied, and for people who installed Adobe Acrobat the acrobat: scheme would be accessible. If a useful command can be executed from such a scheme, that could be a problem.

---

## Summary

In summary, this vulnerability can be a vector for Remote Code Execution. Every time a new feature comes out, any product has been a target for attack and verification, and this bug that came out this time corresponds to one of those vulnerabilities. ๐Ÿ˜€