CVE-2026-21513

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to 10.0.14393.8868 Microsoft Windows versions prior to 10.0.17763.8389 Microsoft Windows versions prior to 10.0.19044.6937 Microsoft Windows versions prior to 10.0.19045.6937 Microsoft Windows (affected versions not specified)

Description A protection mechanism failure in the MSHTML Framework allows an unauthorized attacker to bypass security features over a network. This issue was exploited as a zero-day by the Russia-linked threat actor APT28 (Fancy Bear) in targeted cyber-espionage campaigns. The flaw exists in the logic of the ieframe.dll component responsible for hyperlink navigation, where insufficient validation of target URLs allows attacker-controlled input to reach execution paths that call the ShellExecuteExW() function. Attackers can exploit this by using malicious .LNK files or HTML files containing nested iframes to bypass the Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC), enabling the execution of arbitrary files outside the browser security context.

Recommendations Apply the Microsoft February 2026 Patch Tuesday update, specifically patch KB5052577. As a temporary workaround, disable MSHTML rendering in Office applications via Group Policy at HKLMSOFTWAREMicrosoftInternet ExplorerMainFeatureControl and enforce Web Isolation on all endpoints.