CVE-2026-21513

HighCISA KEVActive Exploitation

Published: 10 February 2026

Published

10 February 2026

Modified

30 March 2026

KEV Added

10 February 2026

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.3103 96.8th percentile

Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21513 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Microsoft Windows 10 21H2. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 3.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws like the MSHTML protection mechanism failure in CVE-2026-21513 via patching.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Mandates receiving, disseminating, and acting on security alerts and directives such as CISA's Known Exploited Vulnerabilities listing for CVE-2026-21513 to ensure rapid remediation.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Provides vulnerability scanning to identify systems affected by CVE-2026-21513, enabling targeted patching of the MSHTML security feature bypass.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a security feature bypass in the MSHTML rendering engine exploited via crafted webpages or documents requiring user interaction, directly enabling arbitrary code execution through client-side software exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.

Deeper analysisAI

CVE-2026-21513 is a protection mechanism failure vulnerability in the MSHTML Framework, classified under CWE-693. This security feature bypass affects the MSHTML rendering engine, a component historically used in Microsoft Internet Explorer and legacy Edge browsers. Published on February 10, 2026, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

An unauthorized attacker can exploit this vulnerability over a network with low complexity and no required privileges, though user interaction is necessary. By tricking a user into interacting with malicious content, such as via a crafted webpage or document, the attacker can bypass a security feature in MSHTML, potentially leading to arbitrary code execution or other high-impact compromises on the affected system.

Microsoft's update guide at msrc.microsoft.com provides details on patches and remediation. Vicarius offers specific detection and mitigation scripts tailored to this MSHTML security feature bypass. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, signaling active exploitation in the wild and urging immediate patching by federal agencies.

As a high-severity issue in a legacy but still-deployed component, CVE-2026-21513 underscores the risks of unpatched Microsoft browser engines, with confirmed real-world exploitation per CISA. Security practitioners should prioritize inventorying and updating affected systems.

Details

CWE(s): CWE-693
KEV Date Added: 10 February 2026

Affected Products

microsoft

windows 10 1607

≤ 10.0.14393.8868 · ≤ 10.0.14393.8868

microsoft

windows 10 1809

≤ 10.0.17763.8389 · ≤ 10.0.17763.8389

microsoft

windows 10 21h2

≤ 10.0.19044.6937 · ≤ 10.0.19044.6937 · ≤ 10.0.19044.6937

microsoft

windows 10 22h2

≤ 10.0.19045.6937 · ≤ 10.0.19045.6937 · ≤ 10.0.19045.6937

microsoft

windows 11 23h2

≤ 10.0.22631.6649 · ≤ 10.0.22631.6649

microsoft

windows 11 24h2

≤ 10.0.26100.7781 · ≤ 10.0.26100.7781

microsoft

windows 11 25h2

≤ 10.0.26200.7781 · ≤ 10.0.26200.7781

microsoft

windows server 2012

all versions, r2

microsoft

windows server 2016

≤ 10.0.14393.8868

microsoft

windows server 2019

≤ 10.0.17763.8389

+3 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-21510Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-32202Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-21533Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-20805Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-21525Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-32225Same product: Microsoft Windows 10 1607

CVE-2026-21519Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-32157Same product: Microsoft Windows 10 1607

CVE-2025-59230Same product: Microsoft Windows 10 1607both on KEV

CVE-2025-24990Same product: Microsoft Windows 10 1607both on KEV

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513
Vendor Advisory · secure@microsoft.com
https://www.vicarius.io/vsociety/posts/cve-2026-21513-detection-script-security-feature-bypass-vulnerability-in-mshtml-framework
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2026-21513-mitigation-script-security-feature-bypass-vulnerability-in-mshtml-framework
Mitigation, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21513
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0