CVE-2026-21513

Name of the Vulnerable Software and Affected Versions Microsoft Windows 10 1607 versions prior to 10.0.14393.8868 Microsoft Windows 10 1809 versions prior to 10.0.17763.8389 Microsoft Windows 10 21H2 versions prior to 10.0.19044.6937 Microsoft Windows 10 22H2 versions prior to 10.0.19045.6937

Description A protection mechanism failure in the MSHTML framework allows an unauthorized remote attacker to bypass security features over a network. The issue stems from a logic flaw in the ieframe.dll component responsible for hyperlink navigation, where insufficient validation of target URLs allows attacker-controlled input to reach execution paths that call the ShellExecuteExW() function. This can be exploited by invoking Internet Explorer using ActiveX forms to execute local or remote resources outside the intended security context. This flaw enables the bypass of the Mark of the Web (MotW), a mechanism that identifies files downloaded from the internet, and the Internet Explorer Enhanced Security Configuration (IE ESC). The issue has been actively exploited in the wild by the Russian state-sponsored threat actor APT28 (Fancy Bear), utilizing malicious .LNK files to trigger the vulnerable navigation flow and execute arbitrary files.

Recommendations Update Windows 10 1607 to version 10.0.14393.8868 or later. Update Windows 10 1809 to version 10.0.17763.8389 or later. Update Windows 10 21H2 to version 10.0.19044.6937 or later. Update Windows 10 22H2 to version 10.0.19045.6937 or later.