CVE-2026-20841 Arbitrary Code Execution in the Windows Notep...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.thezdi.com/blog/2026/2/19/cve-2026-20841-arbitrary-code-execution-in-the-windows-notepad
• Blog Title: CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad
• Suggested Section: 🕸️ Pentesting Web -> Open Redirect / URI handlers OR 🪟 Windows Hardening -> Windows Local Privilege Escalation (as a new subpage better placed under Windows security 'Protocol Handlers / ShellExecute(Ex) abuse' or 'URI Scheme Handler Attacks'); alternatively a new page under Generic Hacking for 'ShellExecuteExW / protocol handler execution via crafted links (Markdown/HTML)'.

🎯 Content Summary

Title / Context
ZDI (TrendAI Research Team) write-up of CVE-2026-20841, a command injection / arbitrary code execution issue in the modern Windows Notepad (Notepad.exe) caused by improper validation of Markdown links. Exploitation yields arbitrary command/file execution in the security context of the logged-in victim (no privilege elevation is implied). The attack requires user interaction: the victim must open a malicious <cod...

🔧 Technical Details

Markdown link → OS protocol handler execution (ShellExecuteExW abuse): When a Markdown-capable application turns link targets into clickable UI elements and forwards the link target into ShellExecuteExW() (or equivalent shell dispatch) without strict allowlisting of schemes and paths, an attacker can place dangerous protocol URIs (e.g., file:, ms-appinstaller:) inside Markdown links ([text](target) or autolinks <target>). On click, Windows selects the registered protocol handler and executes/opens the referenced content, enabling code execution in the user’s context. The exploitability and payload options expand with any additional protocol handlers registered on the target system.

Autolink parity: Inline links of the form <link/path> are rendered as [link/path](link/path), so both syntaxes must be considered when crafting payloads and when writing detections.🤖 Agent Actions

Summary:

• Added a dedicated Windows page on ShellExecute/URI protocol handler abuse via Markdown renderers, covering Notepad’s Markdown surface, payload crafting nuances (autolinks, backslash normalization), exploitation flow, and detection regexes for file:/ms-appinstaller: schemes.
• Linked the new content from the Windows LPE “Misc” section to surface the user-context code execution vector.

Updated files:

• src/windows-hardening/protocol-handler-shell-execute-abuse.md
• src/windows-hardening/windows-local-privilege-escalation/README.md

Tests:

• Not run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 949
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.thezdi.com/blog/2026/2/19/cve-2026-20841-arbitrary-code-execution-in-the-windows-notepad

Content Categories: Based on the analysis, this content was categorized under "🕸️ Pentesting Web -> Open Redirect / URI handlers OR 🪟 Windows Hardening -> Windows Local Privilege Escalation (as a new subpage better placed under Windows security 'Protocol Handlers / ShellExecute(Ex) abuse' or 'URI Scheme Handler Attacks'); alternatively a new page under Generic Hacking for 'ShellExecuteExW / protocol handler execution via crafted links (Markdown/HTML)'.".

Repository Maintenance:

• MD Files Formatting: 949 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0