Fixing and finding
Jump to remediation plan
CVE ID

CVE-2026-21510

Published 2026-02-10
Updated 3 months ago
Vendor/s
Microsoft
Product/s
Windows
Version/s
* > 10.0.14393.8868
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
8.8
/ 10
High
Severity Details
Base score
8.8 High
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2026-21510 is a high-severity (CVSS 8.8) security bypass in Windows Shell, actively exploited and affecting Windows 10, 11, and Server editions.

CPE

Microsoft logo
Microsoft
Product Version Start Version End (excl.) Status
windows_10_1607 * 10.0.14393.8868 vulnerable
windows_10_1607 * 10.0.14393.8868 vulnerable
windows_10_1809 * 10.0.17763.8389 vulnerable
windows_10_1809 * 10.0.17763.8389 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_11_23h2 * 10.0.22631.6649 vulnerable
windows_11_23h2 * 10.0.22631.6649 vulnerable
windows_11_24h2 * 10.0.26100.7781 vulnerable
windows_11_24h2 * 10.0.26100.7781 vulnerable
windows_11_25h2 * 10.0.26200.7781 vulnerable
windows_11_25h2 * 10.0.26200.7781 vulnerable
windows_server_2012 - - vulnerable
windows_server_2012 r2 r2 vulnerable
windows_server_2016 * 10.0.14393.8868 vulnerable
windows_server_2019 * 10.0.17763.8389 vulnerable
windows_server_2022 * 10.0.20348.4711 vulnerable
windows_server_2022_23h2 * 10.0.25398.2149 vulnerable
windows_server_2025 * 10.0.26100.32313 vulnerable

Related weakness (CWE)

CWE-693

Remediation plan

1

Apply official patches

Download and install the specific security updates for CVE-2026-21510 provided by the Microsoft Security Response Center (MSRC) for your specific Windows or Windows Server version.

2

Update affected systems

Ensure all systems are running versions beyond the vulnerable thresholds, such as Windows 11 24H2 build 10.0.26100.7781, Windows 10 22H2 build 10.0.19045.6937, and Windows Server 2025 build 10.0.26100.32313.

3

Restrict access

Utilize network firewalls and segmentation to limit exposure of Windows Shell components to untrusted networks, and enforce the principle of least privilege to mitigate the impact of a security bypass.

4

Monitor for exploitation

Review system and security logs for unusual process activity or unauthorized attempts to circumvent security controls, particularly those originating from network-based sources.

Detection Guidance

Detecting exploitation of CVE-2026-21510 requires monitoring for unusual Windows Shell behavior and unauthorized security feature overrides. Security teams should watch for Event ID 4688 (Process Creation) with suspicious parent-child relationships involving shell components. Additionally, monitor network traffic for signatures associated with security bypass attempts and audit Event ID 4673 for sensitive privilege use that deviates from established baselines. Check MSRC-provided IOCs to identify active exploitation patterns.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21510 Vendor Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21510 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial