CVE-2026-21510

What is Windows SmartScreen?

Windows SmartScreen is a security feature built into Windows Shell that protects users from malicious files and executables downloaded from the internet. When a file carries a Mark-of-the-Web (MotW) — an NTFS Alternate Data Stream tag applied by browsers and email clients to flag internet-origin content — SmartScreen displays a warning before the file executes, giving users a chance to abort. SmartScreen is a key defense against phishing and malware delivery; bypassing it means an attacker's payload runs without any security warning when the user clicks the file.

Overview

CVE-2026-21510 is a protection mechanism failure (CWE-693) in Windows Shell that bypasses SmartScreen and related security prompts. Attackers deliver a malicious Windows Shortcut (.LNK) file or crafted link to a victim; when the user clicks it, the Windows Shell fails to invoke SmartScreen warnings and the attacker-controlled code executes silently. The attack is delivered over the network (e.g., phishing email or drive-by download) and requires only a single click from the victim — no authentication or elevated privileges are needed. Exploited as a zero-day, it was patched in Microsoft's February 2026 Patch Tuesday update.

Affected Versions

Technical Details

The vulnerability (CWE-693: Protection Mechanism Failure) is in the Windows Shell's file execution pipeline. When processing a .LNK or similar file, the Shell is responsible for consulting SmartScreen before allowing execution. The flaw allows this consultation to be bypassed for certain crafted file types or path constructions, causing execution to proceed without the standard security warning.

Attackers deliver the crafted .LNK file via phishing emails or attacker-controlled websites. When the victim clicks the file, execution proceeds at the user's current privilege level — typically a standard user — which is sufficient to deploy malware, establish persistence, and begin lateral movement. This CVE was often mentioned alongside CVE-2026-21513 (MSHTML MotW bypass) as part of the same LNK-based phishing campaign infrastructure, suggesting coordinated delivery.

Discovery

No public researcher attribution has been identified. The zero-day was reported to Microsoft prior to patch availability.

Exploitation Context

Confirmed zero-day exploitation in the wild at the time of the February 2026 Patch Tuesday disclosure. CISA added it to the KEV catalog on the patch release date, indicating federal agencies had observed or been targeted by exploitation. The vulnerability was frequently paired with CVE-2026-21513 in the same attack campaigns, using LNK files as the delivery mechanism to bypass MotW protections. No specific threat actor has been publicly attributed for CVE-2026-21510 specifically.

Remediation

1. Apply the February 2026 Patch Tuesday cumulative update to all affected Windows systems immediately.
2. Enable SmartScreen at the Group Policy level (Computer Configuration → Windows Settings → Security Settings → Windows Defender SmartScreen) to prevent users from disabling it locally.
3. Block .LNK file delivery in email gateways — configure mail filtering to quarantine or strip .LNK attachments from external senders.
4. Enable Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint, particularly the rule to block process creation from .LNK files downloaded from the internet.
5. Train users to be cautious of clicking links or shortcuts from unknown sources.
6. Monitor for execution of processes spawned from .LNK files, especially from user profile download directories.