Remember when Notepad was just… Notepad? A simple text editor nobody asked to be modernized?
Yeah, Microsoft didn’t care either. They bolted on Markdown support and AI features anyway. And now we’ve got CVE-2026-20841. Remote code execution. Via a text file. This is the kind of thing that makes you go “oh come on, really?”
Have they made notepad a webapp yet? Lol.
From my post elsewhere on this topic:
Yet another in my ongoing series of headlines about how messed up Microsoft and tech in general is by using just Notepad as an example.
Why Notepad? Because it was supposed to be the most basic built in text editor for the Windows environment. They thing that would always work. The thing that would do exactly what it was supposed to no matter what.
They have messed it up so bad that it’s now an attack vector.
It’s the prime example of how they keep taking things that work and make them worse.
A few months ago (maybe a year) I found myself in a situation where I had to uninstall and re-install the native Calculator to Windows because of some error. How in the hell did they mess up a calculator? Well the same way they probably messed up the closest thing we have to pencil and paper on Windows.
As I’m in no position to demand company wide switch to a sane operating system I’m constantly in awe of new and innovative ways Microsoft has managed to make my day suck. One such thing is that they have decided that Win 11 Notepad will convert everything it touches to UTF-16. That’s kind of a problem when an external system expects ISO-8859-15 and users have decades of experience in editing said config files with Notepad.
For some reason I have a vague memory that the old notepad is still there. You just need to do a extra loop to start it. I’ll check if I can find the link.
It’s been a while and I’m a Linux user, so I didn’t really pay attention.
Edit: It’s in the system32 folder
That’s pretty much the problem. You know how to work around the issue. I know how to work around the issue. Institutional knowledge doesn’t and just opens the application just like they’ve always done. I resolved this one by associating .csv files with Notepad++ company wide. Now this is a mandated change so they’ll grumble and get on track.
The real issue I have with all this is changing data without consent. It’s like the new Notepad is malware all by itself, doesn’t even need remote exploits.
And hello fellow Linux user :)
Wasn’t notepad++ just compromised in a pretty major way?
You know what’s really stupid about this
Notepad existed for decades, resisting the general trend of Microsoft software, and it continued to do one thing, and do it well (for the purposes of this argument, let’s not get started on line endings)
If someone wanted to do more than just view text files, there was wordpad, a stripped down word processor, that would have been the perfect application to add support for markdown to.
Except they killed it, because enough people must have realised that the word processor bundled with the OS did everything they needed without having to pay Microsoft a subscription for Word.
So now Microsoft is trying to turn notepad into the rudimentary word processor that people expect to come with their OS, destroying the aspect that made it useful
Yes but I bet the young developers at Microslop have never used notepad or wordpad or even windows 95, so they think the best apps are made in electron with JavaScript, or in dotnet.
…let’s not get started on line endings
Aww! But, Mom…!
Mom: we have \n at home.
At home: \r
Oh, so that’s the reason you & Dad are always fighting!
When one realizes that anything useful a firm does is just a coincidence of it making profit. 💢
They’ve been enshittifying it for over a year.
Use LibreOffice instead. It’s available on both Windows and Linux.
LibreOffice is good, but it’s not a Notepad replacement. It does far too much for that.
If you want a lightweight text editor then Notepad++ is the one to look at.
Or rather it was until State Sponsored Hackers started running attacks on the domain. So maybe grab the software from GitHub instead.
Yeah, but notepad++ was recently hacked and been compromised. An unfortunate timing.
The software itself wasn’t compromised. But the download link was. So if you downloaded it in the last year, you downloaded state sponsored malware.
The remote code execution isn’t “via a text file”. It’s via a link in a text file, which Notepad now lets you actually click.
Just don’t click on links you don’t know the destination of (Notepad shows the destination for https links at least, on hover) and you don’t have any remote code executing.
You a have not seen what people these days fall for. Seen a lot of dumb stuff at work.
https://www.trendmicro.com/en_us/research/25/e/unmasking-fake-captcha-cases.html
Mac guy who uses Windows at work. It can be disabled.
On my Windows 11 workstation, the AI stuff and Markdown stuff is gone from Notepad. It’s very easy to do in the settings, and there’s even a gear icon right on the main window. As a Mac user I know ⌘+, (Command + Comma) opens Settings, but with Windows, it’s typically File --> Settings or Tools --> Settings or something like that. Notepad makes it even easier. The AI stuff can be disabled with a click. The Markdown stuff will warn you that any Markdown will be converted to plain text, which is fine, because I don’t even know Markdown. (I assume it’s similar to the formatting used on Lemmy, Reddit, et al.)
If there’s a way to deny Notepad access to the network, I don’t know it, and probably can’t do it on a locked-down workstation anyway. They lock down a lot of dumb shit, like the wallpaper. We can’t change the wallpaper. I can’t change my phone number in my Outlook profile, either — it just goes to the switchboard. I can put my direct line in my email signature and they actually encourage that. Dumb shit like that.
Anyway, TextEdit (the Mac equivalent) has none of that dumb shit AFAIK. It always opens in small windows and the text is super tiny. Oddly enough, after a restart, Notepad wants the text two sizes too big, but I do CTRL± (Control plus Minus/Dash) I think, twice, and it’s just right. Honestly I like Notepad a little more. The real GOAT (on both Mac and Windows!) is Sticky Notes, though. It’s not the same application but it has the same functions.
the dumb shit that locks down the wallpaper is usually a group policy and those are basically on/off type options with very little configuration options
the Outlook profile thing with the phone number is usually because IT doesn’t get to control that and its in the HR section of your profile on the 365 portals, so the path of least resistance is just put it in your email signature and stop bothering us with your requests that take lots of manpower because microsoft has made this all so overtly complicated so that they can sell more stuff to your buisness that requires more input that nobody knows how to do because microsoft write shitty info documents that read like a jigsaw puzzle
Isn’t the point of a RCE that the user doesn’t need to click and run the malicious code? What makes this different from the user opening a site on a browser which is filled with links?
the browser knows its opening links and has a code base on how to do that
notepad isn’t suppost to fetch data when the file it opens contains code that acts like a link
Can anyone tell me if Win 10 LTSC IoT 21H2 is also affected? This is the only M$ OS I run on a few devices (I pretentiously use Linux BTW). If notepad.exe on LTSC is still being molested by updates, that’s beyond fucked.
I don’t think it does. The MSRC page linking to the notepad update release notes/download goto the windows store version of notepad, which lists a requirement of Windows 11 version 22000.0 or higher.
I haven’t gone more in depth than that though.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
Thanks for the info!
