Overview
- Microsoft confirmed CVE-2026-20841, a high-severity remote code execution bug in the modern Notepad app with a CVSS score of 8.8.
- The fix is available via the Microsoft Store in build 11.2510 or later, and users are urged to force a Store update and verify the version.
- The affected component is the Store-distributed Notepad, not the legacy Notepad.exe that ships with Windows.
- Successful exploitation could grant attackers the signed-in user’s privileges, exposing local files, shared resources and stored credentials.
- Reports differ on whether a click on malicious links is required or if opening a crafted file can trigger execution, so guidance advises disabling Markdown-related features and treating external .md and .txt files with caution until patched.