Fixing and finding
Jump to remediation plan
CVE ID

CVE-2026-21513

Published 2026-02-10
Updated last month
Vendor/s
Microsoft
Product/s
Windows
Version/s
* > 10.0.14393.8868
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
8.8
/ 10
High
Severity Details
Base score
8.8 High
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2026-21513 is a high-severity (8.8) security feature bypass in Microsoft's MSHTML Framework, currently under active exploitation in the wild.

CPE

Microsoft logo
Microsoft
Product Version Start Version End (excl.) Status
windows_10_1607 * 10.0.14393.8868 vulnerable
windows_10_1607 * 10.0.14393.8868 vulnerable
windows_10_1809 * 10.0.17763.8389 vulnerable
windows_10_1809 * 10.0.17763.8389 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_21h2 * 10.0.19044.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_10_22h2 * 10.0.19045.6937 vulnerable
windows_11_23h2 * 10.0.22631.6649 vulnerable
windows_11_23h2 * 10.0.22631.6649 vulnerable
windows_11_24h2 * 10.0.26100.7781 vulnerable
windows_11_24h2 * 10.0.26100.7781 vulnerable
windows_11_25h2 * 10.0.26200.7781 vulnerable
windows_11_25h2 * 10.0.26200.7781 vulnerable
windows_server_2012 - - vulnerable
windows_server_2012 r2 r2 vulnerable
windows_server_2016 * 10.0.14393.8868 vulnerable
windows_server_2019 * 10.0.17763.8389 vulnerable
windows_server_2022 * 10.0.20348.4711 vulnerable
windows_server_2022_23h2 * 10.0.25398.2149 vulnerable
windows_server_2025 * 10.0.26100.32313 vulnerable

Related weakness (CWE)

CWE-693

Remediation plan

1

Apply official patches

Install the latest security updates provided by Microsoft through Windows Update or Windows Server Update Services (WSUS) to address the protection mechanism failure in the MSHTML framework.

2

Update affected systems

Verify that Windows 10 (up to 19045.6937), Windows 11 (up to 26200.7781), and Windows Server versions (2012 through 2025) are updated to versions exceeding the vulnerable build thresholds identified in the CPE data.

3

Restrict access

Implement robust email filtering and web gateway policies to block malicious files or links that attempt to trigger MSHTML-based bypasses, as the attack vector typically involves network-delivered content.

4

Monitor for exploitation

Utilize EDR and SIEM tools to detect unusual process behavior originating from MSHTML-related components or attempts to bypass Windows security features like Mark-of-the-Web (MotW).

Detection Guidance

Monitor for unusual child processes spawned by applications utilizing the MSHTML engine, such as Outlook or Office. Look for log entries indicating security feature bypasses or failures in protection mechanisms (CWE-693). Network-level detection should focus on signatures identifying malicious HTML or script content designed to evade browser-based security controls. Review EDR telemetry for unauthorized modifications to security-sensitive registry keys or system files associated with web content rendering.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513 Vendor Advisory https://www.vicarius.io/vsociety/posts/cve-2026-21513-detection-script-security-feature-bypass-vulnerability-in-mshtml-framework Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2026-21513-mitigation-script-security-feature-bypass-vulnerability-in-mshtml-framework Mitigation Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21513 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial