Executive Summary
Microsoft patched an actively exploited zero-day vulnerability in the Windows MSHTML Framework (the Trident rendering engine underlying Internet Explorer and legacy IE-mode components in Edge) as part of February 2026 Patch Tuesday. Tracked as CVE-2026-21513, the flaw is a protection mechanism failure in how MSHTML handles hyperlink navigation — specifically within ieframe.dll — that allows an attacker to bypass security zone protections and invoke ShellExecuteExW with attacker-controlled parameters. This enables execution of local or remote resources outside the intended browser security context, without user confirmation dialogs. CISA added CVE-2026-21513 to its Known Exploited Vulnerabilities catalog on February 10, 2026 with a federal agency remediation deadline of March 3, 2026. The vulnerability carries a CVSS 3.1 base score of 8.8.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-21513 |
| Severity | High |
| CVSS v3.1 Score | 8.8 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CWE | CWE-693 — Protection Mechanism Failure |
| Vendor | Microsoft |
| Affected Component | MSHTML Framework (ieframe.dll / Trident engine) |
| Patch Date | February 10, 2026 (Patch Tuesday) |
| CISA KEV Added | February 10, 2026 |
| CISA Remediation Due | March 3, 2026 |
| Exploitation Status | Actively exploited in the wild (zero-day at time of patch) |
Technical Details
Background: MSHTML in Modern Windows
Despite Microsoft's transition away from Internet Explorer, the MSHTML (Trident) rendering engine remains present in all supported versions of Windows. It is used by:
- Legacy applications that embed browser components via
WebBrowserActiveX controls - Microsoft Office applications rendering HTML-formatted emails or embedded web content
- Windows Shell components for processing
.mht,.htm, and.htafiles - Internet Explorer mode in Microsoft Edge
This broad presence means the attack surface extends well beyond traditional web browsing.
Vulnerability Root Cause
The vulnerability resides in a hyperlink navigation handling function within ieframe.dll. The function processes the target URL of a navigated hyperlink before resolving it. A flaw in the validation logic — specifically insufficient sanitization of the href target scheme and path — allows attacker-controlled input to reach a call to ShellExecuteExW. This Windows API function, when called with attacker-controlled parameters, executes the specified file or URI using the default handler registered in the Windows Shell, bypassing MSHTML's security zone checks and any associated prompting.
Exploitation Methods
Research by Akamai and other vendors identified two primary exploitation vectors:
Vector 1: Malicious HTML File
1. Attacker crafts a malicious .html or .mht file
2. Delivers via email attachment, phishing page, or web drive-by
3. Victim opens the file (processed by MSHTML/Trident)
4. Crafted hyperlink triggers the vulnerable navigation handler in ieframe.dll
5. ShellExecuteExW called with attacker URI/path — no zone prompt displayed
6. Local executable or remote script executed in Windows Shell contextVector 2: Office Document with Embedded HTML Content
1. Attacker crafts a Word or Excel file containing an embedded HTML object
2. Office renders the HTML via the MSHTML engine
3. Embedded malicious href triggers the same ieframe.dll code path
4. ShellExecuteExW executes attacker payload without security prompt
5. Combines naturally with CVE-2026-21514 for a compound attack chainRelationship to CVE-2026-21514
CVE-2026-21513 and CVE-2026-21514 (Microsoft Word OLE bypass) were both patched in the same Patch Tuesday cycle and can be chained: a document that bypasses OLE security via CVE-2026-21514 can embed HTML content that then uses CVE-2026-21513 to invoke ShellExecuteExW — creating a highly reliable two-stage execution chain that bypasses multiple independent security controls simultaneously.
Affected Versions
| Windows Version | Affected Builds | Fixed By |
|---|---|---|
| Windows 11 Version 26H1 | 10.0.28000.x prior to Feb 2026 CU | February 2026 Cumulative Update |
| Windows 11 Version 24H2 | 10.0.26100.x prior to Feb 2026 CU | February 2026 Cumulative Update |
| Windows 11 Version 23H2 | 10.0.22631.x prior to Feb 2026 CU | February 2026 Cumulative Update |
| Windows 10 Version 22H2 | 10.0.19045.x prior to Feb 2026 CU | February 2026 Cumulative Update |
| Windows 10 Version 21H2 | 10.0.19044.x prior to Feb 2026 CU | February 2026 Cumulative Update |
| Windows 10 Version 1809 | 10.0.17763.x prior to Feb 2026 CU | February 2026 Cumulative Update |
| Windows Server 2022 | 10.0.20348.x prior to Feb 2026 CU | February 2026 Cumulative Update |
| Windows Server 2019 | 10.0.17763.x prior to Feb 2026 CU | February 2026 Cumulative Update |
| Windows Server 2016 | Potentially affected | Apply February 2026 updates |
Indicators of Compromise
Process Execution Anomalies
The exploitation of CVE-2026-21513 results in ShellExecuteExW being called from ieframe.dll outside of normal user-driven navigation. Monitor for:
Parent processes of interest:
- iexplore.exe, msedge.exe (IE mode), mshta.exe
- WINWORD.EXE, EXCEL.EXE, OUTLOOK.EXE (Office embedding MSHTML)
Suspicious child processes or shell launches originating from above:
- cmd.exe, powershell.exe, pwsh.exe
- wscript.exe, cscript.exe
- regsvr32.exe, rundll32.exe
- Any .exe from %TEMP%, %APPDATA%, or user-writable paths
Network Indicators
- DNS resolution of newly-registered domains immediately following HTML file opens
- HTTP/HTTPS requests to external hosts from
iexplore.exe,mshta.exe, or Office applications - SMB (port 445) connection attempts from workstations to external IPs upon document/HTML open
File System Indicators
- Unexpected files written to
%TEMP%or%APPDATA%shortly after opening an HTML or Office document - Newly created
.lnkshortcut files in startup folders or%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup - Scheduled tasks created by non-administrative processes
Remediation
-
Apply the February 2026 Windows Cumulative Update immediately via Windows Update, WSUS, or Microsoft Endpoint Manager (Intune/MECM). This is the definitive fix for CVE-2026-21513.
-
Verify patch deployment across all Windows endpoints and servers using your patch management console. Confirm the February 2026 CU is installed (check
winverorGet-HotFixin PowerShell for the relevant KB number). -
Disable Internet Explorer mode in Microsoft Edge if it is not required by line-of-business applications. Navigate to
edge://settings/defaultBrowserand set "Allow sites to be reloaded in Internet Explorer mode" to "Don't allow." -
Restrict MHTML/HTML file handling via Group Policy to prevent automatic processing of
.htm,.html, and.mhtfiles in the MSHTML engine where not needed. -
Enable Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint:
Block execution of potentially obfuscated scriptsBlock JavaScript or VBScript from launching downloaded executable contentBlock Office applications from creating child processes
-
Review email gateway policies to quarantine or sandbox HTML attachments and Office documents from external senders, particularly those with embedded HTML content.
-
Enable Enhanced Protected Mode (EPM) in Internet Explorer settings if IE is still required in your environment:
Tools > Internet Options > Advanced > Enable Enhanced Protected Mode. -
Hunt for prior exploitation by reviewing EDR telemetry for the anomalous process launches described in the Indicators of Compromise section, covering the period since January 2026.
References
- Microsoft Security Advisory — CVE-2026-21513
- CISA KEV — CVE-2026-21513
- Akamai — Inside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513
- Tenable — Microsoft February 2026 Patch Tuesday
- BleepingComputer — Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
- CrowdStrike — February 2026 Patch Tuesday Analysis
- NVD — CVE-2026-21513
- Wiz — CVE-2026-21513 Impact and Exploitability