Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

MSHTML Framework Security Feature Bypass in Internet Explorer/MSHTML

IdentifiersCVE-2026-21513CWE-693· Protection Mechanism Failure

CVE-2026-21513 is a high-severity protection mechanism failure in the Microsoft MSHTML Framework (the Internet Explorer rendering engine) that allows an unauthenticated attacker to bypass file-execution security controls over a network. Public reporting and vendor-linked analysis indicate the vulnerable logic is in MSHTML/ieframe.dll hyperlink navigation handling, where insufficient validation of attacker-controlled target URLs can route execution into ShellExecuteExW outside the intended browser trust context. In observed exploitation, attackers used malicious HTML content and specially crafted Windows Shortcut (.lnk) files, including LNKs with embedded HTML payloads, to manipulate browser and Windows Shell handling, bypass execution prompts, and defeat protections associated with untrusted network-origin content. Akamai reporting further states the technique used nested iframes and multiple DOM contexts to cross trust boundaries, enabling execution of local or remote resources outside the browser sandbox. Microsoft confirmed the flaw was exploited as a zero-day and fixed it in February 2026.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to bypass security features intended to warn or restrict execution of content from untrusted sources, including protections such as file execution prompts, Mark-of-the-Web-related restrictions, and Internet Explorer Enhanced Security Configuration in reported scenarios. Multiple sources state the bypass can be used to silently trigger execution of attacker-controlled content and may lead to remote code execution when chained with additional components or vulnerabilities. The flaw was actively exploited in the wild, including in targeted campaigns attributed by researchers to APT28/Fancy Bear against Ukraine and EU targets, where it was used as part of multi-stage payload delivery and initial access chains.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by preventing users from opening untrusted HTML and .lnk files received via email, web downloads, or messaging platforms; block or quarantine suspicious shortcut files at mail and web gateways; and harden execution controls for content originating from the Internet. Increase monitoring for suspicious explorer.exe, mshtml, ieframe.dll, and ShellExecute-related activity, as well as LNK files with embedded or adjacent HTML content and outbound connections associated with staged payload retrieval. Because reporting indicates any component embedding MSHTML may reach the vulnerable path, limit or monitor applications that render untrusted HTML through MSHTML until patches are applied.

Remediation

Patch, then assume compromise.

Apply Microsoft's February 2026 security update for CVE-2026-21513 on all affected Windows systems and MSHTML-consuming components. Prioritize remediation because Microsoft and CISA reported active exploitation and CISA added the vulnerability to the KEV catalog. Validate patch deployment across supported Windows versions, especially endpoints exposed to phishing and document-based initial access. Because exploitation has been observed in targeted campaigns, organizations should also investigate for prior compromise on systems that may have opened suspicious HTML or LNK files before patching.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows 11 25h2operating_system
Microsoft CorporationWindows 11 26h1operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

164 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

164 SOURCESView more in app
proofpointNews
May 26, 2026
More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild | Proofpoint US

A vulnerability chained with CVE-2026-32202 by TA422 in targeted attacks; specific technical details are not provided in the content.

Read more
scworldNews
Apr 29, 2026
New Windows flaw stems from incomplete fix for APT28-exploited bugs | brief | SC Media

An MSHTML security feature bypass vulnerability used alongside CVE-2026-21510 by APT28 in a December campaign targeting Ukraine and EU member states.

Read more
the hacker newsNews
Apr 29, 2026
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV

A vulnerability exploited alongside CVE-2026-21510 as a zero-day by APT28 in attacks targeting Ukraine and E.U. countries.

Read more
help net securityNews
Apr 29, 2026
CISA, Microsoft warn of active exploitation of Windows Shell vulnerability (CVE-2026-32202) - Help Net Security

A Windows vulnerability exploited alongside CVE-2026-21510 by APT28 through weaponized LNK files to bypass Windows security features. Microsoft fixed it in February 2026.

Read more
+48 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence26

Every observed campaign linking this CVE to a named adversary.

Associated malware9

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity106

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-21513
NVD
nvd.nist.gov/vuln/detail/CVE-2026-21513
MITRE CWE · CWE-693
Protection Mechanism Failure
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513
Mitigation
vicarius.io/vsociety/posts/cve-2026-21513-mitigation-script-security-feature-bypass-vulnerability-in-mshtml-framework
Third Party Advisory
vicarius.io/vsociety/posts/cve-2026-21513-detection-script-security-feature-bypass-vulnerability-in-mshtml-framework
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21513