ThreatLevelBeta
Planned Fix

CVE-2026-21513

Microsoft MSHTML Framework Protection Mechanism Failure Vulnerability
Loading...

Summary

Microsoft's MSHTML Framework contains a protection mechanism failure in hyperlink navigation handling. A malicious .LNK file or crafted HTML content can abuse nested iframe and DOM navigation to push attacker-controlled URLs into a shell-execution path, bypassing Mark of the Web and Internet Explorer Enhanced Security Configuration. The attack requires the victim to open the crafted file or content, and in-the-wild exploitation has been observed.

Why Planned Fix?

4/6
No authentication required
Internal deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
Unknown
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Bypass browser security boundaries and execute attacker-controlled content outside the sandbox.

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker delivers a malicious .LNK file or HTML lure, often through phishing, to a user on a Windows system that embeds MSHTML. When the victim opens the shortcut or content, nested iframe and DOM navigation manipulate the hyperlink handling path in ieframe.dll/MSHTML, causing the target URL to be processed through ShellExecuteExW instead of staying inside the browser context. The exploit bypasses Mark of the Web and Internet Explorer Enhanced Security Configuration, and success is verified when attacker-controlled content executes outside the browser sandbox.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable NessusRapid7 InsightVMQualys
3

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft WindowsWindows 10 1607, 1809, 21H2, 22H2; Windows 11 23H2, 24H2, 25H2; Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, 2025
Description

Desktop and server operating system that includes the legacy MSHTML/IEFRAME web-rendering engine used by Internet Explorer and embedded browser controls.

Deployment:Mixed (internet/internal)
|
Protocol:HTTP/HTTPS
|
Ports:80, 443
Affected ComponentHyperlink navigation handling in ieframe.dll/MSHTML, including embedded WebBrowser and HTML file navigation flows that can pass attacker-controlled URLs to ShellExecuteExW.

Hyperlink navigation handling in ieframe.dll/MSHTML, including embedded WebBrowser and HTML file navigation flows that can pass attacker-controlled URLs to ShellExecuteExW.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch
Apply the February 2026 Microsoft Windows security update for your affected release; the fix is delivered as the applicable KB cumulative update for each supported Windows and Windows Server build.

Apply the February 2026 Microsoft Windows security update for your affected release; the fix is delivered as the applicable KB cumulative update for each supported Windows and Windows Server build.

msrc.microsoft.com
Update

Not available

Threat Intelligence
EPSS Score24.7%

Probability of exploitation in the next 30 days

EPSS Percentile96%

Worse than 96% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
akamai.com
Threat Actors1
APT28 (Fancy Bear, Sednit)

Russian state-sponsored cyberespionage group targeting Ukrainian and allied government and critical-infrastructure entities

Detection Rules2
KQL
KQL: DeviceNetworkEvents | where RemoteUrl contains 'wellnesscaremed.com'
KQL
KQL: DeviceFileEvents | where FileName =~ 'document.doc.LnK'

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.

CVSS Base Score

8.8
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-693 Protection Mechanism Failure
|
NVD:CVE-2026-21513
|
Version From:
|
Version Upto:10.0.14393.8868, 10.0.14393.8868, 10.0.17763.8389, 10.0.17763.8389, 10.0.19044.6937, 10.0.19044.6937, 10.0.19044.6937, 10.0.19045.6937, 10.0.19045.6937, 10.0.19045.6937, 10.0.22631.6649, 10.0.22631.6649, 10.0.26100.7781, 10.0.26100.7781, 10.0.26200.7781, 10.0.26200.7781, 10.0.14393.8868, 10.0.17763.8389, 10.0.20348.4711, 10.0.25398.2149, 10.0.26100.32313

Affected Software (CPE) (23)

  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:-:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:-:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:-:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:-:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:x64:*

Sources

8
SourceArticle
msrc.microsoft.comSecurity Update Guide - CVE-2026-21513
akamai.comInside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513
nvd.nist.govCVE-2026-21513 Detail
www.cisa.govKnown Exploited Vulnerabilities Catalog
microsoft.comFebruary 2026 Security Update
www.tenable.comCVE-2026-21513
www.rapid7.comMicrosoft Windows: CVE-2026-21513: MSHTML Framework Security Feature Bypass Vulnerability
blog.qualys.comMicrosoft and Adobe Patch Tuesday, February 2026 Security Update Review

Priority History

Planned FixLoading...

Initial analysis