PT-2026-7399 · Microsoft · Mshtml Framework+1
Published
2026-02-10
·
Updated
2026-06-22
·
CVE-2026-21513
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Microsoft Windows 10 1607 versions prior to 10.0.14393.8868
Microsoft Windows 10 1809 versions prior to 10.0.17763.8389
Microsoft Windows 10 21H2 versions prior to 10.0.19044.6937
Microsoft Windows 10 22H2 versions prior to 10.0.19045.6937
Description
A protection mechanism failure in the MSHTML framework allows an unauthorized remote attacker to bypass security features over a network. The issue stems from a logic flaw within the
ieframe.dll component responsible for hyperlink navigation, where insufficient validation of target URLs allows attacker-controlled input to reach execution paths that call the ShellExecuteExW() function. This can be exploited by invoking Internet Explorer using ActiveX forms to execute local or remote resources outside the intended security context. Real-world exploitation has been attributed to the Russian state-sponsored threat actor APT28 (Fancy Bear), who used malicious .LNK files to bypass the Mark of the Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). The vulnerability can also be triggered through any component that embeds MSHTML.Recommendations
Update Microsoft Windows 10 1607 to version 10.0.14393.8868 or later.
Update Microsoft Windows 10 1809 to version 10.0.17763.8389 or later.
Update Microsoft Windows 10 21H2 to version 10.0.19044.6937 or later.
Update Microsoft Windows 10 22H2 to version 10.0.19045.6937 or later.
Fix
RCE
DoS
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mshtml Framework
Windows