Cyber Posture

CVE-2026-21513

HighCISA KEVActive Exploitation

Published: 10 February 2026

Published
10 February 2026
Modified
30 March 2026
KEV Added
10 February 2026
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2811 96.5th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Description

Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely identification, reporting, and correction of flaws like the MSHTML protection mechanism failure in CVE-2026-21513 via patching.

SI-5 Security Alerts, Advisories, and Directives good match
prevent

Mandates receiving, disseminating, and acting on security alerts and directives such as CISA's Known Exploited Vulnerabilities listing for CVE-2026-21513 to ensure rapid remediation.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Provides vulnerability scanning to identify systems affected by CVE-2026-21513, enabling targeted patching of the MSHTML security feature bypass.

Security SummaryAI

CVE-2026-21513 is a protection mechanism failure vulnerability in the MSHTML Framework, classified under CWE-693. This security feature bypass affects the MSHTML rendering engine, a component historically used in Microsoft Internet Explorer and legacy Edge browsers. Published on February 10, 2026, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

An unauthorized attacker can exploit this vulnerability over a network with low complexity and no required privileges, though user interaction is necessary. By tricking a user into interacting with malicious content, such as via a crafted webpage or document, the attacker can bypass a security feature in MSHTML, potentially leading to arbitrary code execution or other high-impact compromises on the affected system.

Microsoft's update guide at msrc.microsoft.com provides details on patches and remediation. Vicarius offers specific detection and mitigation scripts tailored to this MSHTML security feature bypass. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, signaling active exploitation in the wild and urging immediate patching by federal agencies.

As a high-severity issue in a legacy but still-deployed component, CVE-2026-21513 underscores the risks of unpatched Microsoft browser engines, with confirmed real-world exploitation per CISA. Security practitioners should prioritize inventorying and updating affected systems.

Details

CWE(s)
CWE-693
KEV Date Added
10 February 2026

Affected Products

microsoft
windows 10 1607
≤ 10.0.14393.8868 · ≤ 10.0.14393.8868
microsoft
windows 10 1809
≤ 10.0.17763.8389 · ≤ 10.0.17763.8389
microsoft
windows 10 21h2
≤ 10.0.19044.6937 · ≤ 10.0.19044.6937 · ≤ 10.0.19044.6937
microsoft
windows 10 22h2
≤ 10.0.19045.6937 · ≤ 10.0.19045.6937 · ≤ 10.0.19045.6937
microsoft
windows 11 23h2
≤ 10.0.22631.6649 · ≤ 10.0.22631.6649
microsoft
windows 11 24h2
≤ 10.0.26100.7781 · ≤ 10.0.26100.7781
microsoft
windows 11 25h2
≤ 10.0.26200.7781 · ≤ 10.0.26200.7781
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
≤ 10.0.14393.8868
microsoft
windows server 2019
≤ 10.0.17763.8389
+3 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

The vulnerability is a security feature bypass in the MSHTML rendering engine exploited via crafted webpages or documents requiring user interaction, directly enabling arbitrary code execution through client-side software exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References