Windows Editor: Details on Markdown security vulnerability

In Windows' Editor, Microsoft closed a security vulnerability in Markdown processing with the Windows updates on Patchday. Attackers can inject malicious code through the leak. More detailed information is now available from Trend Micro's Zero-Day Initiative (ZDI), which also provides admins with assistance in the form of filter rules to ward off attacks.

The analysis of the command injection vulnerability in the Windows Editor has been published by IT researchers in the ZDI blog. They explain that the security vulnerability in the Windows Editor (notepad.exe) occurs when processing Markdown files and is based on insufficient filtering of links. Attackers can exploit the vulnerability by tricking potential victims into downloading a maliciously manipulated file, opening it, and clicking on a prepared link within it. A successful attack can lead to the execution of arbitrary commands in the context of the victim's account (CVE-2026-20841, CVSS 7.8, Risk "high"). However, there are currently no indications of active exploits.

Security vulnerability in the default text editor

ZDI employees state that the default Windows Editor notepad.exe until recently only had rudimentary editing capabilities. However, in modern Windows versions, an improved and extended version of the editor comes standard. The new version supports more file formats, Markdown descriptions, and Copilot functions. Markdown allows text formatting and, among other things, embedding links, for example in the form [link-name](link/path). The Trend Micro researchers detail the vulnerability at the code level in their analysis.

When processing Markdown, the editor can react to clicking on links. It filters the link values and passes them to the system call ShellExecuteExW(). However, this filtering is insufficient; it allows the use of protocol URIs such as "file://" or "ms-appinstaller://". This allows arbitrary files to be launched when calling ShellExecuteExW(), running in the victim's context. Depending on the system configuration, other protocol handlers may also be exploitable in this way.

Detecting and defending against attacks

The IT researchers therefore recommend closely examining and filtering traffic on specific ports: FTP (Port 20 and 21/TCP), HTTP (Port 80/TCP), HTTPS (Port 443/TCP), IMAP (Port 143/TCP), NFS (Ports 111/UDP+TCP, 2049/UDP+TCP), POP3 (Port 110/TCP), SMTP (Ports 25+587/TCP), and SMB/CIFS (Ports 139+445/TCP). Traffic should be examined for Markdown files with the file extension .md. If such files are detected, ZDI recommends scanning their content for links with strings like "file:" or "ms-appinstaller:". If these are present, the IT researchers provide regular expressions with which references to content from the web can be detected: (\\x3C|[\\^\\x5d]+\\)\\(\\file:(\\x2f|\\\\\\x5c\\\\\\x5c){4} for the file: URI handler and (\\x3C|[\\^\\x5d]+\\)\\(\\ms-appinstaller:(\\x2f|\\\\\\x5c\\\\\\x5c){2} for the ms-appinstaller: URI handler. Matches with these rules should be classified as malicious.

Not only the Windows Editor is affected by vulnerabilities. For example, the popular text editor Notepad++ recently closed a code injection vulnerability with a security update.

(dmk)