What is Microsoft MSHTML?
MSHTML (also known as Trident) is Microsoft's HTML rendering engine, originally the core of Internet Explorer. While Internet Explorer itself was retired in 2022, the MSHTML engine (implemented in ieframe.dll and related components) remains present in all supported versions of Windows as a component used by legacy applications, Windows features, and third-party software that embeds web content. Because it was not designed with modern browser security boundaries, MSHTML operates with significantly fewer sandboxing protections than modern rendering engines. Vulnerabilities in MSHTML can bypass protections that browsers like Edge apply by default.
Overview
CVE-2026-21513 is a protection mechanism failure (CWE-693) in the MSHTML Framework's hyperlink navigation logic. Insufficient validation of target URLs in ieframe.dll allows attacker-controlled input to reach ShellExecuteExW code paths, executing local or remote resources outside the browser security context. This bypasses Mark-of-the-Web (MotW) controls and Internet Explorer Enhanced Security Configuration (IE ESC). Observed attacks used malicious .LNK files embedding HTML that triggered the vulnerable MSHTML code path. APT28 (Russian state-sponsored) exploited this as a zero-day before the February 2026 Patch Tuesday fix.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 10 (1607, 1809, 21H2, 22H2) | All builds before Feb 2026 CU | February 2026 Cumulative Update |
| Windows 11 (22H3, 23H2, 24H2, 25H2, 26H1) | All builds before Feb 2026 CU | February 2026 Cumulative Update |
| Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025 | All builds before Feb 2026 patch | February 2026 Security Update |
Technical Details
The vulnerability (CWE-693: Protection Mechanism Failure) is in the hyperlink URL validation logic within ieframe.dll. When MSHTML processes a hyperlink navigation, it should validate the target URL and enforce zone-based security policies. The flaw allows URLs using file://, http://, and https:// schemes to bypass these checks and reach ShellExecuteExW, which executes the referenced resource outside normal browser security constraints.
Crafted .LNK files (Windows Shortcuts) embedding HTML can trigger this code path: when a user clicks the .LNK, the embedded HTML is processed by MSHTML, the malicious link is constructed, and ShellExecuteExW executes an attacker-controlled payload without SmartScreen or MotW intervention. An exploit sample with the filename document.doc.LnK.download appeared on VirusTotal on 30 January 2026, approximately 11 days before the patch. Microsoft's fix tightened hyperlink protocol validation to prevent file://, http://, and https:// links from reaching ShellExecuteExW.
Discovery
Akamai Security Research performed automated root cause analysis post-patch and correlated the fix to an in-the-wild exploit sample. Microsoft Threat Intelligence Center (MSTIC) and Google Threat Intelligence Group (GTIG) were also credited in the advisory.
Exploitation Context
Attributed to APT28 (Fancy Bear, Russian state-sponsored GRU-linked group). APT28 used crafted .LNK files connecting to the command-and-control domain wellnesscaremed[.]com to deliver payloads. The exploit pre-dates the February 2026 patch by at least 11 days based on the VirusTotal submission date. CISA added CVE-2026-21513 to the KEV catalog on Patch Tuesday, indicating active exploitation of government-relevant targets. This CVE was used in conjunction with CVE-2026-21510 (Windows Shell SmartScreen bypass) as part of the same LNK-based phishing campaign infrastructure.
Remediation
- Apply the February 2026 Patch Tuesday cumulative update to all affected Windows systems immediately.
- Disable legacy MSHTML/Internet Explorer mode in Edge and remove IE compatibility shims where not required by business-critical applications.
- Block .LNK file delivery in email gateways — configure mail filtering to quarantine .LNK attachments from external senders.
- Enable Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint to block execution of files from MSHTML-accessible paths.
- Enable IE Enhanced Security Configuration (IE ESC) on Windows Server systems to reduce the attack surface of MSHTML-dependent code paths.
- Monitor for connections to unusual domains from
ieframe.dll-related processes (iexplore.exe,svchost.exe) and forShellExecuteExWcalls from unexpected callers. - IOC: Block the C2 domain
wellnesscaremed[.]comat DNS and perimeter firewalls.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-21513 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2026-02-10 |
| NVD Last Modified | 2026-03-30 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-693 find similar ↗ |
| CISA KEV Added | 2026-02-10 |
| CISA KEV Deadline | 2026-03-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-01-30 | Exploit sample (crafted LNK file) first observed on VirusTotal |
| 2026-02-10 | February 2026 Patch Tuesday — patch released; CVE published; added to CISA KEV catalog as active zero-day |
| 2026-03-03 | CISA BOD 22-01 remediation deadline |
| 2026-03-30 | NVD last modified |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2026-21513 | Vendor Advisory |
| NVD — CVE-2026-21513 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| APT28 Tied to CVE-2026-21513 MSHTML Zero-Day | News |
| Russia-Linked APT28 Exploited MSHTML Zero-Day CVE-2026-21513 Before Patch | Security Research |
| Tenable — February 2026 Patch Tuesday Analysis | Security Research |