Visualização de leitura

CVE-2026-20841: Windows Notepad RCE Fixed in Microsoft’s February Patch Tuesday Release

11 de Fevereiro de 2026, 13:06

Microsoft’s 2026 Patch Tuesday cadence continues to shape patching priorities. January set the pace with fixes for an actively exploited Windows Desktop Window Manager zero-day (CVE-2026-20805). Now, the February release adds another practical concern. Applications that gain richer features can also inherit richer risks, as shown by the built-in Windows 11 Notepad app now associated with a remote code execution vulnerability. An attacker can lure a user into opening a crafted Markdown file in Notepad and clicking a malicious link, which can trigger untrusted protocol handling that pulls down remote content and executes it.

The vulnerability, tracked as CVE-2026-20841, was addressed in Microsoft’s February 10, 2026 security updates and carries a CVSS score of 8.8, rated Important.

Given Microsoft’s dominant role in enterprise and consumer environments, vulnerabilities in its software scale fast and often become repeatable attacker playbooks. Tenable’s Patch Tuesday 2025 review shows the volume defenders face, with Microsoft addressing 1,130 CVEs across 2025 releases and remote code execution making up 30.8% of those fixes. That is why CVE-2026-20841 should not be treated as a routine Important patch. It is an 8.8-rated RCE in the modern Windows Notepad app that can turn a simple Markdown file and a single click into a code execution path.

Register for the SOC Prime Platform, the industry-first AI-Native Detection Intelligence Platform for real-time defense, to explore a collection of 600,000+ detection rules addressing the latest threats and equip your team with AI and top cybersecurity expertise. Click Explore Detections to reach the extensive rule set for vulnerability exploit detection, pre-filtered using the custom “CVE” tag.

Explore Detections

All rules are portable across leading SIEM, EDR, and Data Lake platforms and are aligned with the latest MITRE ATT&CK framework v18.1. Go deeper with AI-native detection intelligence, including CTI references, attack timelines, audit configuration guidance, triage recommendations, and additional context that helps analysts move from alert to action faster.

To further cut detection engineering overhead, security teams can use Uncoder AI to instantly translate detection logic across multiple language formats, generate detections directly from raw threat reports, visualize Attack Flows, accelerate enrichment and tuning, and streamline validation workflows end to end.

CVE-2026-20841 Analysis

Microsoft’s February 2026 Patch Tuesday delivered security updates for 58 vulnerabilities, including six actively exploited issues and three publicly disclosed zero-days.

One of the notable flaws in this release is CVE-2026-20841, a nasty remote code execution issue in the modern Windows Notepad app. The vulnerability is rooted in command injection, where specially crafted input can be interpreted as executable instructions rather than treated as plain text.

Microsoft’s advisory describes a straightforward abuse path that relies on user interaction. An attacker can trick a Windows user into opening a crafted Markdown (.md) file in Notepad and clicking a malicious hyperlink. That click can cause Notepad to launch unverified protocols that load and execute remote files, enabling code execution with the same permissions as the logged-in user. In practical terms, the “weapon” is a text file, delivery can be as simple as email or a download link, and the compromise moment is the click.

If successfully exploited, the attacker inherits the user’s access level, including local files, network shares, and internal tools. In many environments, that is enough to steal data, deploy additional malware, or stage follow-on actions that expand the intrusion.

The affected component is the Microsoft Store-distributed Notepad app, not the legacy Notepad.exe that many teams can think of. This distinction matters operationally because Store apps can fall out of date when automatic updates are disabled or when enterprises do not enforce app version compliance. The fix for CVE-2026-20841 is shipped via the Microsoft Store as an updated Notepad release, with the build 11.2510 and later marked as remediated, and Microsoft listing it as customer action required.

Organizations that rely on affected Windows environments are urged to apply the February updates without delay and to confirm that the Microsoft Store Notepad version is updated to a remediated build. To strengthen coverage beyond patching, SOC teams can enhance defenses with SOC Prime’s AI-Native Detection Intelligence Platform by sourcing detection content from the largest and continuously updated repository, adopting an end-to-end pipeline from detection to simulation, orchestrating workflows in natural language, and staying resilient against emerging threats.

FAQ

What is CVE-2026-20841 and how does it work?

CVE-2026-20841 is a high-severity remote code execution vulnerability in the modern Windows Notepad app. It can be triggered when a user opens a crafted Markdown (.md) file and clicks a malicious hyperlink, causing Notepad to invoke untrusted protocol handling that can download and execute attacker-controlled content under the user’s permissions.

When was CVE-2026-20841 first discovered?

CVE-2026-20841 was publicly disclosed and fixed in Microsoft’s February Patch Tuesday security updates released on February 10, 2026.

What is the impact of CVE-2026-20841 on systems?

If exploited, it can allow an attacker to run code in the context of the logged-in user. That can lead to data theft, malware deployment, credential access, and follow-on intrusion activity, especially in environments where users have broad access to shared resources or elevated privileges.

Can CVE-2026-20841 still affect me in 2026?

Yes. The risk remains for any system running an affected Microsoft Store version of Notepad, particularly in environments where Store apps are not updated automatically or app version compliance is not enforced.

How can you protect from CVE-2026-20841?

Update Notepad immediately from the Microsoft Store, and confirm it runs on a remediated build. Enable automatic app updates in Windows Settings so Store apps do not lag behind. Reduce exposure by avoiding untrusted Markdown files and not clicking links inside unexpected .md documents, especially those received via email or downloads.

The post CVE-2026-20841: Windows Notepad RCE Fixed in Microsoft’s February Patch Tuesday Release appeared first on SOC Prime.

CVE-2026-20805: Microsoft Fixes Actively Exploited Windows Desktop Manager Zero-Day

SOC Prime Blog

Por:Daryna Olyniychuk

15 de Janeiro de 2026, 09:58

As 2026 gets underway, the pace of critical vulnerability disclosures shows little sign of easing. Following the recent MongoBleed (CVE-2025-14847) revelation, Microsoft has kicked off the year with its first Patch Tuesday release, addressing 114 security flaws across its product ecosystem. Among them is a zero-day vulnerability that was already being exploited in real-world attacks, underscoring the persistent pressure on defenders to keep pace.

The actively exploited flaw, tracked as CVE-2026-20805, has been classified by Microsoft as an important-severity information disclosure vulnerability affecting the Windows Desktop Window Manager (DWM). The issue allows a locally authorized attacker to access sensitive information by abusing weaknesses in how DWM handles system data, potentially exposing details that should otherwise remain protected.

Given Microsoft’s dominant role in powering enterprise and consumer environments worldwide, vulnerabilities in its software carry far-reaching implications. The 2025 BeyondTrust Microsoft Vulnerabilities Report revealed that 2024 set a new record with 1,360 disclosed Microsoft vulnerabilities—an 11% increase year over year—driven largely by Elevation of Privilege (EoP) and RCE flaws. That momentum continued into 2025, with Microsoft patching 1,129 CVEs, marking the second consecutive year the company surpassed the 1,000-vulnerability threshold. Notably, December 2025’s Patch Tuesday was dominated by EoP issues, which accounted for half of all fixes, followed by RCE vulnerabilities at nearly one-third.

Register for SOC Prime Platform, the industry-first AI-Native Detection Intelligence Platform for real-time defense, to explore a collection of 600,000+ detection rules addressing the latest threats and equip your team with AI and top cybersecurity expertise. Click Explore Detections to reach the extensive rule set for vulnerability exploit detection, pre-filtered using the custom “CVE” tag.

Explore Detections

All detection rules can be used across multiple SIEM, EDR, and Data Lake platforms and are aligned with the latest MITRE ATT&CK® framework v18.1. Explore AI-native threat intelligence, including CTI references, attack timelines, audit configurations, triage recommendations, and more threat context each rule is enriched with.

Security teams can also significantly reduce detection engineering overhead with Uncoder AI by instantly converting detection logic across multiple language formats for enhanced translation accuracy, crafting detections from raw threat reports, visualizing Attack Flows, accelerating enrichment and fine-tuning while streamlining validation workflows.

CVE-2026-20805 Analysis

Microsoft’s January 2026 Patch Tuesday release delivers fixes for 112 security vulnerabilities spanning a wide range of products, including Windows, Office, Azure, Edge, SharePoint, SQL Server, SMB, and Windows management services. When third-party Chromium-related patches are included, the total number of addressed flaws increases to 114, with 106 classified as Important in severity.

One of the central issues within this release is a zero-day vulnerability that was already being exploited in the wild. Identified as CVE-2026-20805, the flaw affects the Windows Desktop Window Manager and allows for unintended disclosure of sensitive information.

According to Microsoft, the vulnerability enables a locally authenticated attacker to extract protected data by abusing the way Desktop Window Manager handles memory. Specifically, successful exploitation could expose a section address from a remote ALPC port residing in user-mode memory, potentially providing attackers with insight useful for further compromise.

Microsoft credits its internal security teams with discovering CVE-2026-20805, though the company has not released technical details regarding the active exploitation observed prior to patching.

In response to confirmed exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20805 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are now required to apply the corresponding updates no later than February 3, 2026, highlighting the urgency of remediation.

Organizations that rely on corresponding Windows products are urged to apply the patches immediately. Also, by enhancing the defenses with SOC Prime’s AI-Native Detection Intelligence Platform, SOC teams can source detection content from the largest and up-to-date repository, seamlessly adopt the full pipeline from detection to simulation into their security processes, orchestrate workflows in their natural language, and smoothly navigate the ever-changing threat landscape while strengthening defenses at scale.

The post CVE-2026-20805: Microsoft Fixes Actively Exploited Windows Desktop Manager Zero-Day appeared first on SOC Prime.