CVE-2026-21513

Name of the Vulnerable Software and Affected Versions Microsoft Windows MSHTML versions prior to February 2026 Patch Tuesday

Description A security feature bypass vulnerability exists in the MSHTML Framework, allowing an unauthorized attacker to bypass security features over a network. This flaw, tracked as CVE-2026-21513 and possessing a CVSS score of 8.8, was actively exploited in the wild by the Russia-linked threat actor APT28 before a patch was released by Microsoft. The vulnerability resides within the ieframe.dll component, specifically in the logic responsible for handling hyperlink navigation. Insufficient validation of target URLs allows attacker-controlled input to reach execution paths that call the ShellExecuteExW function. Exploitation involves malicious HTML or LNK files, bypassing Windows security prompts and potentially enabling code execution. The technique bypasses Mark of the Web (MOTW) and Internet Explorer Enhanced Security Configuration (IE ESC) protections. The initial exploitation was observed through malicious LNK files connecting to infrastructure associated with APT28. Any component embedding MSHTML could be a potential attack vector.

Recommendations Apply the Microsoft February 2026 Patch Tuesday update, specifically patch KB5052577, to all affected systems. Disable MSHTML rendering in Office applications via Group Policy (HKLMSOFTWAREMicrosoftInternet ExplorerMainFeatureControl). Enforce Web Isolation on all endpoints as a compensating control.