ThreatLevelBeta
Planned Fix

CVE-2026-21510

Microsoft Windows Shell Protection Mechanism Failure Vulnerability
Loading...

Summary

Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. An attacker must trick a user into opening a specially crafted link or shortcut file, after which Windows may fail to show the expected SmartScreen or shell warning. That can let attacker-controlled content run without the normal user consent prompt and may lead to compromise of the affected system.

Why Planned Fix?

4/6
No authentication required
Internal deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
Unknown
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Execute attacker-controlled content on the victim system with the user's privileges.

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker prepares a malicious link or shortcut file that points to attacker-controlled content. The victim is then persuaded to open that file, causing Windows Shell to process it. The flaw prevents the expected security prompt or SmartScreen warning from appearing, so the content executes without the normal user warning or consent. Successful exploitation is usually confirmed when the attacker-controlled payload runs on the endpoint.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable NessusQualys
2

Affected Software

Vendor:Microsoft
ProductAffected Versions
Windows 101607, 1809, 21H2, 22H2 and earlier builds before the February 2026 security update
Windows 1123H2, 24H2, 25H2 and earlier builds before the February 2026 security update
Windows Server2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, 2025 and earlier builds before the February 2026 security update
Description

Windows is Microsoft's desktop and server operating system family. Windows Shell provides the graphical shell, file handling, and shortcut/link launch behavior used by Explorer and related components.

Deployment:Typically internal
|
Protocol:HTTP/HTTPS
|
Ports:80, 443
Affected ComponentWindows Shell link and shortcut handling, including SmartScreen and shell security prompt enforcement.

Windows Shell link and shortcut handling, including SmartScreen and shell security prompt enforcement.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Install Microsoft’s February 10, 2026 Windows security update or later for the affected Windows 10, Windows 11, and Windows Server branches. Microsoft’s advisory lists the fixed build levels for each supported release.

Install Microsoft’s February 10, 2026 Windows security update or later for the affected Windows 10, Windows 11, and Windows Server branches. Microsoft’s advisory lists the fixed build levels for each supported release.

msrc.microsoft.com
Threat Intelligence
EPSS Score3.3%

Probability of exploitation in the next 30 days

EPSS Percentile87%

Worse than 87% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
bleepingcomputer.com
Threat Actors

No known threat actors

Detection Rules1
KQL
DeviceProcessEvents | where ParentFileName =~ "explorer.exe" | where FileName in~ ("powershell.exe","cmd.exe","mshta.exe","rundll32.exe","wscript.exe","cscript.exe") | where InitiatingProcessCommandLine has_any (".lnk", ".url", "http://", "https://")

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.

CVSS Base Score

8.8
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-693 Protection Mechanism Failure
|
NVD:CVE-2026-21510
|
Version From:
|
Version Upto:10.0.14393.8868, 10.0.14393.8868, 10.0.17763.8389, 10.0.17763.8389, 10.0.19044.6937, 10.0.19044.6937, 10.0.19044.6937, 10.0.19045.6937, 10.0.19045.6937, 10.0.19045.6937, 10.0.22631.6649, 10.0.22631.6649, 10.0.26100.7781, 10.0.26100.7781, 10.0.26200.7781, 10.0.26200.7781, 10.0.14393.8868, 10.0.17763.8389, 10.0.20348.4711, 10.0.25398.2149, 10.0.26100.32313

Affected Software (CPE) (23)

  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*

Sources

6
SourceArticle
nvd.nist.govCVE-2026-21510 Detail
msrc.microsoft.comCVE-2026-21510 Security Update Guide
www.cisa.govKnown Exploited Vulnerabilities Catalog
www.bleepingcomputer.comMicrosoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
www.tenable.comCVE-2026-21510
www.qualys.comMicrosoft Security Bulletins: February 2026

Priority History

Planned FixLoading...

Initial analysis