Windows Notepad App Remote Code Execution Vulnerability

We have officially reached the logical conclusion of the feature-bloat-to-vulnerability pipeline.

For nearly thirty years, notepad.exe was the gold standard for a "dumb" utility which was a simple, win32-backed buffer for strings that did exactly one thing...display text. An 8.8 CVSS on a utility meant for viewing data is a fundamental failure of the principle of least privilege.

At some point, they need to stop asking "can we add this feature?" and start asking "does this text editor need a network-aware rendering stack?"

It is to do with link handling:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.

I found a copy of the win98 (I believe) notepad.exe a while back, and it works perfectly on windows 11 (though the "about notepad" dialog shows the windows 11 version for some reason??). I can write text into it, save it, and load text again. What more does notepad need? And it has a very nostalgic font too

Let's ask the obvious. There should be zero vulns in notepad. It should be feature complete since XP. Who approved this vulnerability, and how quickly can they be fired? The App store is a joke. At least call it Notepad 2.0 or some other flashy garbage so we can proactively label the bullshit as such.

A few days ago, Notepad++ got compromised—apparently by a state actor (or a proxy). And now, today, Windows’ built-in Notepad has a fresh CVE. What a life.

At this point, what am I supposed to do other than uninstall Windows completely? No real sandboxing, a mountain of legacy…

"An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files."

I didn't even know Notepad would render Markdown.

The funny thing is browsers figured out years ago you need to warn users before launching random protocol handlers. Microsoft added clickable links to Notepad and just skipped that part entirely. It's not even about the feature creep, it's that they reinvented something browsers solved ages ago and somehow forgot why those safeguards existed in the first place.

Notepad had one job, display text. Microsoft decided it needed an attack surface instead.

The year of the Linux desktop doesn't need to arrive - it just needs Windows to keep shipping.

I miss when the Notepad was doing what the Notepad is supposed to do: show a text file, plain and simple.

I used notepad as my default, simple text editor for ages.

After they added copilot I finally gave up and uninstalled it and switched to a one of the minimalistic clones of the good old notepad.exe

i imagine it’s probably something to do with the massive scope creep recently, especially with AI and the Markdown features - they’ve tried to fit some of WordPad’s rich text features following its removal

Bare with me, but im not again' the new Notepad. Its fairly well done - the markdown - and even the AI dropdown presets seem useful.

but I do wish they had called it something else and kept notepad as txt only.

One of the (not so many) things about Windows that I loved was the zen simplicity of the Notepad. I saw it through Windows 3.1 all the way to the bloated oblivion it was driven to, and I did not like to see that sad, final chapter. (Broader theme, do I miss the simpler computer times!)

Notepad had one job... Seems like bringing markdown features killed it :)

So what this means is every Windows program is now a cve nightmare (or goldmine, depending on view)?

> An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files.

From https://msrc.microsoft.com/update-guide/vulnerability/CVE-20... (there are many collapsible elements on this page, and they're also just for term definitions, sigh)

What a fucking terrible page for someone unfamiliar with the site. the "Learn More" links will allow you to learn what the terms "CWE", "CVSS", "Product Status" mean, but not to learn more about this vulnerability...

Anyway, it's not related to CoPilot, but because Notepad makes links clickable now...

It looks like, after Microsoft discontinued WordPad, they want to implement more features into Notepad. If you want simple plain text editor you have to use msedit[1].

[1]https://github.com/microsoft/edit

We got notepad.exe RCE before GTA 6

Old notepad is still in Windows 11 at C:\Windows\notepad.exe

They could've just implemented it in webview2 with all the AI features they want.

Seems whatever they do they step in shit. They should stop doing stuff.

They spent the last few years entirely compromising their products rather than improving them.

This wouldn't happen if they'd use more LLM models to triple-check what previous models did during development!

I'm frankly amazed that the majority of new laptops still come with Microsoft Windows.

To be fair, over the years there have been sincere efforts to re-architect the OS with a security, privacy, reliability for peristent storage, graphics, multi-tasking, multi-user, networking etc. But those efforts never caught up with the speed at which bloat was added.

At the heart, its design still has remnants that have the naivety of a stand-alone, stateless microcomputer that boots straight off a floppy after BIOS POST.

I feel like the process of carving out any meaning out of "QA" is complete. It's cathartic, in its twisted way...

8.8 RCE CVE in notepad.exe. Well done microslop

If you can use Reactos' Notepad.exe from the daily ISO build (extract reactos.cab with 7zip) the better.

Actually, the big red flag for me was the removal of "My Computer". Folks, you might still think it's "your computer" but Microsoft clearly doesn't. You've got something they want and they will stop at nothing to take it from you.

This should be treated as an all-out war.

use SublimeText, it is perhaps faster now than the stock Notepad

> Product

> Windows Notepad

Disambiguation urgently needed.

So notepad now renders links, then when clicks execute the code on those links (not just loading a website in a browser for example)?

As if you needed another reason to switch to Linux

I'd now like to see a RCE in MS Paint or Calculator, if the exploit finder is reading this.

Microsoft is stuck in exactly the same situation Linux is: It has to be all things to all people. It has to be simple enough that grandma can use it, but powerful enough to not alienate their business customers. Putting link-handling (rich text) in Notepad (the plain-text editor) was idiotic, however.

Just now Notepad integrates very useful copilot assistant... What can go wrong

Good job!

In the past I would have defended Microsoft for this, somehow.

The Microsoft of 2026 is insane and I have 40,000 ideas to improve things without being anticompetitive but I no longer want to work at that company for any amount of money.

Microsoft have been stagnating and letting business people steer product direction for about 30 years too long. MBAs don't know shit. Stop letting them lead product direction. Stop letting people who are not power-users of a product make decisions about that product. PERIOD. No more PMs who aren't advanced users who lived in the tool 8 hours a day for months in a previous role.

Promote people who think differently, ESPECIALLY IF THEY DO NOT FIT IN THE CULTURE AT MICROSOFT TODAY. Think about ways to innovate. Advance the computing landscape, god dammit. Why are terminals still textual? How the fuck have we not moved past this ancient paradigm? Look at Plan9 and adopt features that Plan9 pioneered, and pay zero attention to what customers will accept while doing it - you can change the shape of these features to make them palatable at a later stage of design (there's no reason these features need to be painful for anyone, but they can be--and should be--very secure and inherent, rather than opt-in.)

Just pull your flippin' head out of your ass, Microsoft. Holy shit.

I found a simpler explanation for what's going on [1].

To summarize, malicious Markdown files with custom schemes in URLs can trick users into executing arbitrary code. I honestly didn't know this was a "feature" of Notepad.

I guess that's my real problem here. The constant desire for feature bloat inevitably introduces potential vulnerabilities. In no world did I expect Notepad to have the ability under any circumstances to make network requests and execute arbitrary code.

Nor should I.

As an aside, this is why I violently despise Eletron apps and anything that runs its own browser engine for a GUI. I just don't want that level of attack surface in any app that I use.

[1]: https://cybersecuritynews.com/windows-notepad-rce-vulnerabil...

[dead]

[dead]

[flagged]

use linux

What AI great job!

Yeah, clicking unverified links in a markdown document to launch an executable....

Clicking unknown links is always a bad idea, but a CVE for that? I dunno....

You can literally one-shot Opus 4.6 to make a better, faster, safer, more secure notepad.exe than the one that comes with Windows.

This isn't an AI slop problem.

Conglatulations Microslop.