this post was submitted on 12 Feb 2026
445 points (98.1% liked)

Technology

82329 readers
4371 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
445
Microsoft's Notepad Got Pwned (They Added AI To It, So...) (foss-daily.org)
submitted 3 weeks ago by themachinestops@lemmy.dbzer0.com to c/technology@lemmy.world
48 comments fedilink hide all child comments
 

Remember when Notepad was just… Notepad? A simple text editor nobody asked to be modernized?

Yeah, Microsoft didn’t care either. They bolted on Markdown support and AI features anyway. And now we’ve got CVE-2026-20841. Remote code execution. Via a text file. This is the kind of thing that makes you go “oh come on, really?”

top 48 comments
sorted by: hot top controversial new old
[–] 9point6@lemmy.world 123 points 3 weeks ago* (last edited 3 weeks ago) (3 children)

You know what's really stupid about this

Notepad existed for decades, resisting the general trend of Microsoft software, and it continued to do one thing, and do it well (for the purposes of this argument, let's not get started on line endings)

If someone wanted to do more than just view text files, there was wordpad, a stripped down word processor, that would have been the perfect application to add support for markdown to.

Except they killed it, because enough people must have realised that the word processor bundled with the OS did everything they needed without having to pay Microsoft a subscription for Word.

So now Microsoft is trying to turn notepad into the rudimentary word processor that people expect to come with their OS, destroying the aspect that made it useful

[–] SanctimoniousApe@lemmings.world 29 points 3 weeks ago (1 children)

...let's not get started on line endings

Aww! But, Mom....!

[–] Lembot_0006@programming.dev 27 points 3 weeks ago (2 children)

Mom: we have \n at home.

[–] jaybone@lemmy.zip 14 points 3 weeks ago

At home: \r

[–] SanctimoniousApe@lemmings.world 7 points 3 weeks ago

Oh, so that's the reason you & Dad are always fighting!

[–] avidamoeba@lemmy.ca 16 points 3 weeks ago

When one realizes that anything useful a firm does is just a coincidence of it making profit. 💢

[–] 1984@lemmy.today 7 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Yes but I bet the young developers at Microslop have never used notepad or wordpad or even windows 95, so they think the best apps are made in electron with JavaScript, or in dotnet.

[–] Kyrgizion@lemmy.world 5 points 3 weeks ago (1 children)

I actually think the young crowd at MS would resist this. This looks much more like a top-down decision from marketing overruling engineering.

[–] 1984@lemmy.today 2 points 3 weeks ago

Yeah true.

[–] FauxPseudo@lemmy.world 60 points 3 weeks ago (1 children)

From my post elsewhere on this topic:

Yet another in my ongoing series of headlines about how messed up Microsoft and tech in general is by using just Notepad as an example.

Why Notepad? Because it was supposed to be the most basic built in text editor for the Windows environment. They thing that would always work. The thing that would do exactly what it was supposed to no matter what.

They have messed it up so bad that it's now an attack vector.

It's the prime example of how they keep taking things that work and make them worse.

[–] Th3D3k0y@lemmy.world 20 points 3 weeks ago

A few months ago (maybe a year) I found myself in a situation where I had to uninstall and re-install the native Calculator to Windows because of some error. How in the hell did they mess up a calculator? Well the same way they probably messed up the closest thing we have to pencil and paper on Windows.

[–] sahin@lemmy.world 34 points 3 weeks ago

I thought you were joking https://support.microsoft.com/en-us/windows/enhance-your-writing-with-ai-in-notepad-4088b954-c97b-46dc-813f-959be01746d5

[–] village604@adultswim.fan 27 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

This has nothing to do with AI. They added markdown to it and now links work.

The title of the article is weird because it's the only place AI is mentioned.

[–] brucethemoose@lemmy.world 5 points 3 weeks ago* (last edited 3 weeks ago)

Friend, this is 2026.

Clickbait is mandatory. Get your reason out of here.

[–] khapyman@sopuli.xyz 20 points 3 weeks ago (1 children)

As I'm in no position to demand company wide switch to a sane operating system I'm constantly in awe of new and innovative ways Microsoft has managed to make my day suck. One such thing is that they have decided that Win 11 Notepad will convert everything it touches to UTF-16. That's kind of a problem when an external system expects ISO-8859-15 and users have decades of experience in editing said config files with Notepad.

[–] random_character_a@lemmy.world 2 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

For some reason I have a vague memory that the old notepad is still there. You just need to do a extra loop to start it. I'll check if I can find the link.

It's been a while and I'm a Linux user, so I didn't really pay attention.

Edit: It's in the system32 folder

[–] khapyman@sopuli.xyz 12 points 3 weeks ago (2 children)

That's pretty much the problem. You know how to work around the issue. I know how to work around the issue. Institutional knowledge doesn't and just opens the application just like they've always done. I resolved this one by associating .csv files with Notepad++ company wide. Now this is a mandated change so they'll grumble and get on track.

The real issue I have with all this is changing data without consent. It's like the new Notepad is malware all by itself, doesn't even need remote exploits.

And hello fellow Linux user :)

[–] vala@lemmy.dbzer0.com 4 points 3 weeks ago (1 children)

Wasn't notepad++ just compromised in a pretty major way?

[–] random_character_a@lemmy.world 4 points 3 weeks ago

I understood that it wasn't notepad++ software itself, but some foreign actor did some high level shit on the update channels of their platform.

[–] random_character_a@lemmy.world 1 points 3 weeks ago

It has always been the problem with Micro$oft products. You don't use them the way you want or need to. You use them the way Micro$oft envisioned it.

[–] Sharkticon@lemmy.zip 18 points 3 weeks ago (1 children)

Why, you know on Earth, would they add "ai" to notepad of all things?

[–] poopkins@lemmy.world 5 points 3 weeks ago

"Why not?" retorts Mr. Nadella, as a grin begins to form. He exchanges a meaningful look with Mr. Suleyman.

[–] Pamasich@kbin.earth 16 points 3 weeks ago (1 children)

The remote code execution isn't "via a text file". It's via a link in a text file, which Notepad now lets you actually click.

Just don't click on links you don't know the destination of (Notepad shows the destination for https links at least, on hover) and you don't have any remote code executing.

[–] themachinestops@lemmy.dbzer0.com 15 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

You a have not seen what people these days fall for. Seen a lot of dumb stuff at work.

https://www.trendmicro.com/en_us/research/25/e/unmasking-fake-captcha-cases.html

[–] SaltySalamander@fedia.io 1 points 3 weeks ago

The issue isn't Notepad, though. The issue is PEBKAC

[–] 1984@lemmy.today 10 points 3 weeks ago (1 children)

Have they made notepad a webapp yet? Lol.

[–] Corkyskog@sh.itjust.works 9 points 3 weeks ago

OMG I lowkey hate you for just putting that out into the universe.

[–] FlashMobOfOne@lemmy.world 10 points 3 weeks ago (1 children)

They've been enshittifying it for over a year.

Use LibreOffice instead. It's available on both Windows and Linux.

[–] chaogomu@lemmy.world 11 points 3 weeks ago (1 children)

LibreOffice is good, but it's not a Notepad replacement. It does far too much for that.

If you want a lightweight text editor then Notepad++ is the one to look at.

Or rather it was until State Sponsored Hackers started running attacks on the domain. So maybe grab the software from GitHub instead.

[–] fluxx@lemmy.world 2 points 3 weeks ago (1 children)

Yeah, but notepad++ was recently hacked and been compromised. An unfortunate timing.

[–] chaogomu@lemmy.world 4 points 3 weeks ago (1 children)

The software itself wasn't compromised. But the download link was. So if you downloaded it in the last year, you downloaded state sponsored malware.

[–] SaltySalamander@fedia.io 3 points 3 weeks ago (1 children)

No. The download link was never compromised. What was compromised was the built-in auto-update feature.

[–] Techlos@lemmy.dbzer0.com 2 points 3 weeks ago (1 children)

Years of auto update paranoia paid off for me, never trust an executable that doesn't give you a hash to check.

[–] SaltySalamander@fedia.io 2 points 3 weeks ago

My philosophy as well

[–] cerebralhawks@lemmy.dbzer0.com 10 points 3 weeks ago (2 children)

Mac guy who uses Windows at work. It can be disabled.

On my Windows 11 workstation, the AI stuff and Markdown stuff is gone from Notepad. It's very easy to do in the settings, and there's even a gear icon right on the main window. As a Mac user I know ⌘+, (Command + Comma) opens Settings, but with Windows, it's typically File --> Settings or Tools --> Settings or something like that. Notepad makes it even easier. The AI stuff can be disabled with a click. The Markdown stuff will warn you that any Markdown will be converted to plain text, which is fine, because I don't even know Markdown. (I assume it's similar to the formatting used on Lemmy, Reddit, et al.)

If there's a way to deny Notepad access to the network, I don't know it, and probably can't do it on a locked-down workstation anyway. They lock down a lot of dumb shit, like the wallpaper. We can't change the wallpaper. I can't change my phone number in my Outlook profile, either — it just goes to the switchboard. I can put my direct line in my email signature and they actually encourage that. Dumb shit like that.

Anyway, TextEdit (the Mac equivalent) has none of that dumb shit AFAIK. It always opens in small windows and the text is super tiny. Oddly enough, after a restart, Notepad wants the text two sizes too big, but I do CTRL+- (Control plus Minus/Dash) I think, twice, and it's just right. Honestly I like Notepad a little more. The real GOAT (on both Mac and Windows!) is Sticky Notes, though. It's not the same application but it has the same functions.

[–] thisbenzingring@lemmy.today 3 points 3 weeks ago

the dumb shit that locks down the wallpaper is usually a group policy and those are basically on/off type options with very little configuration options

the Outlook profile thing with the phone number is usually because IT doesn't get to control that and its in the HR section of your profile on the 365 portals, so the path of least resistance is just put it in your email signature and stop bothering us with your requests that take lots of manpower because microsoft has made this all so overtly complicated so that they can sell more stuff to your buisness that requires more input that nobody knows how to do because microsoft write shitty info documents that read like a jigsaw puzzle

[–] frostysauce@lemmy.world 1 points 3 weeks ago (1 children)

Sticky Notes was great. Now your notes are stored in the cloud.

[–] cerebralhawks@lemmy.dbzer0.com 1 points 2 weeks ago

You think? Assuming we're just talking about the Microsoft product, I only use it at work, and I'm not signed into my Xbox (Microsoft) account there. I am signed into the corporate Intranet, which I use to log on, and I can use it to access Office Online, so maybe they're synced through that? OneDrive is installed as it is part of Windows (then again, so is the Xbox app) but I can't do anything with it. It says my account isn't provisioned for it and I just get a blank screen. Same with Copilot — I've tried it. The hardware is capable, I suppose it is technically a "Copilot PC" though it isn't branded as such... but it won't run without a Windows account. And I'm not using my personal one.

I guess I can test it by logging onto another workstation and opening Sticky Notes.

Unless you're implying Microsoft just stores all kinds of data Windows can find in the cloud... that would not surprise me. You'd be saying every company that uses Windows has their trade secrets and whatnot in Microsoft's cloud. I would not doubt that either, fuck Microsoft and all that, but I kinda doubt a lot of companies would just let that go. I think by using our own intranet for a lot of stuff, we sidestep most of that. I'm not really sure though. I also don't care that much. I don't have a stake in the company, after all. And I'm going to try to be a responsible steward of the information I do have. If I had Copilot access, for example, I wouldn't tell it anything personal, private, or confidential. But as far as what Microsoft actually does? I figure I have very little power over that.

[–] Kyrgizion@lemmy.world 8 points 3 weeks ago

Nopepad now.

[–] pycorax@sh.itjust.works 7 points 3 weeks ago (1 children)

Isn't the point of a RCE that the user doesn't need to click and run the malicious code? What makes this different from the user opening a site on a browser which is filled with links?

[–] thisbenzingring@lemmy.today 5 points 3 weeks ago (1 children)

the browser knows its opening links and has a code base on how to do that

notepad isn't suppost to fetch data when the file it opens contains code that acts like a link

[–] pycorax@sh.itjust.works 1 points 3 weeks ago (2 children)

Does it not invoke the browser to do it? The article and associated pages don't really go into how the whole flow it works.

[–] Kazumara@discuss.tchncs.de 2 points 3 weeks ago

It uses a more generic shell linking method, that doesn't just load web URLs but also file paths, including to executables.

https://news.ycombinator.com/item?id=46971516

[–] thisbenzingring@lemmy.today 1 points 3 weeks ago* (last edited 3 weeks ago)

https://nvd.nist.gov/vuln/detail/CVE-2026-20841 this page would contain the best details on the CVE, there is a link to a forum discussing it

I don't know for sure but I suspect it is like many of the other types of exploits where someone makes a normal looking URL but inside of it hides conditions that makes whatever is inspecting the URL to know that it should open in the web browser do something before it opens the web browser. Like before it starts the web browser does it it tells it to download some code and run it and that code then hijacks your "system" because the system service is running the code

[–] EndlessNightmare@reddthat.com 5 points 3 weeks ago

No one:

Micro$lop: you know what this needs shoehorned into it? AI!

[–] ilillilillilillililli@lemmy.world 0 points 3 weeks ago (1 children)

Can anyone tell me if Win 10 LTSC IoT 21H2 is also affected? This is the only M$ OS I run on a few devices (I pretentiously use Linux BTW). If notepad.exe on LTSC is still being molested by updates, that's beyond fucked.

[–] m4ylame0wecm@lemmy.zip 2 points 3 weeks ago (1 children)

I don't think it does. The MSRC page linking to the notepad update release notes/download goto the windows store version of notepad, which lists a requirement of Windows 11 version 22000.0 or higher.

I haven't gone more in depth than that though.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

[–] ilillilillilillililli@lemmy.world 1 points 3 weeks ago

Thanks for the info!