Microsoft’s February 2026 Patch Tuesday fixed a protection mechanism bypass in the Windows MSHTML framework, tracked as CVE-2026-21513. An unauthenticated attacker can bypass a security feature over the network, and the flaw was already under active exploitation as a zero-day before the patch shipped.
What MSHTML is and why it matters
MSHTML, also known as Trident, is Windows’ legacy HTML rendering engine. Internet Explorer retired long ago, but MSHTML still ships with the system, and other components call it to render HTML content. That staying power keeps it a popular target: a flaw in MSHTML fires without a modern browser anywhere in sight, just by opening a crafted file.
What the vulnerability is
CVE-2026-21513 is a protection mechanism failure (CWE-693): the component fails to enforce a security check that should keep certain links away from sensitive code paths. The published technical analysis points to the hyperlink-navigation logic in ieframe.dll, which validated the target URL poorly. That gap let attacker-controlled input reach calls to ShellExecuteExW, so local or remote resources could run outside the browser’s intended security context.
Exploitation needs user interaction: the victim has to open a crafted HTML file or a malicious shortcut (.lnk). In the samples that researchers examined, a Windows shortcut carried an embedded HTML file, and the exploit chained nested iframes and several DOM contexts to bend trust boundaries and deliver multi-stage payloads.
Who is affected and severity
The flaw hits multiple Windows versions: Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (22H3, 23H2, 24H2, 25H2 and later) and Windows Server (2012 R2, 2016, 2019). Its CVSS 3.1 score is 8.8 (high), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H: network-exploitable, no prior privileges, but requiring user interaction, with full impact on confidentiality, integrity and availability.
Real-world exploitation: APT28
Microsoft confirmed the vulnerability was exploited as a zero-day in real-world attacks. Researchers tied the campaign to the APT28 group (associated with Russia). On January 30, 2026 a malicious artifact landed on VirusTotal, connected to the group’s infrastructure, carrying a .lnk shortcut that opened communication with an attacker-controlled domain. CISA added the CVE to its KEV (Known Exploited Vulnerabilities) catalog with a remediation deadline of March 3, 2026.
Mitigation
The main move is to apply Microsoft’s February 2026 updates, which tighten hyperlink protocol validation so file://, http:// and https:// links can no longer reach ShellExecuteExW. Beyond the patch, treat .lnk and .html files arriving by email or messaging with suspicion, keep Mark-of-the-Web and SmartScreen protections turned on, and put exposed machines first in line, since the exploit is already in use.
If you manage Windows machines, see the affected system page at /en/windows-desktop.
Source
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21513
- Microsoft Security Response Center (MSRC), Akamai Security Research and CISA KEV.