DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21513: The Zombie Engine Bites Again: MSHTML MotW Bypass (CVE-2026-21513)

#security #cve #cybersecurity

The Zombie Engine Bites Again: MSHTML MotW Bypass (CVE-2026-21513)

Vulnerability ID: CVE-2026-21513
CVSS Score: 8.8
Published: 2026-02-10

Just when you thought Internet Explorer was dead and buried, its necrotic spirit—the MSHTML engine—has risen from the grave to haunt Windows 11. CVE-2026-21513 is a critical security feature bypass that renders Mark of the Web (MotW) effectively useless. Attackers are currently exploiting this in the wild to bypass SmartScreen and Office Protected View, turning what should be a noisy 'Are you sure?' prompt into silent remote code execution. If you rely on Windows to tell you a file is from the internet, you're currently flying blind.

TL;DR

CVE-2026-21513 allows attackers to bypass 'Mark of the Web' security warnings by exploiting logic flaws in the legacy MSHTML engine. This means malicious files downloaded from the internet execute without SmartScreen or Protected View warnings. It is being actively exploited (Zero-Day). Patch immediately.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-693
  • Attack Vector: Network (Email/Web)
  • CVSS v3.1: 8.8 (High)
  • Exploit Status: Active / In the Wild
  • EPSS Score: 8.83%
  • KEV Listed: Yes (Feb 10, 2026)
  • Impact: Security Feature Bypass (MotW)

Affected Systems

  • Windows 11 (22H3, 23H2, 24H2, 26H1)
  • Windows 10 (1607, 1809, 21H2, 22H2)
  • Windows Server 2025
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 / R2
  • Windows 11: < 10.0.26100.7840 (Fixed in: 10.0.26100.7840)
  • Windows 10: < 10.0.19045.6937 (Fixed in: 10.0.19045.6937)

Exploit Details

  • In-the-Wild: Active exploitation confirmed by CISA and CrowdStrike.

Mitigation Strategies

  • Apply February 2026 Security Updates immediately.
  • Configure Attack Surface Reduction (ASR) rules to block Office child processes.
  • Disable the Windows Explorer Preview Pane via GPO to mitigate potential 0-click vectors.
  • Block high-risk file extensions (.url, .hta, .lnk) at the email gateway.

Remediation Steps:

  1. Identify all Windows endpoints using SCCM/Intune.
  2. Deploy the relevant Cumulative Update (e.g., Build 10.0.26100.7840 for Win 11).
  3. Reboot endpoints to ensure MSHTML.dll is reloaded.
  4. Verify the version of mshtml.dll in System32 matches the patch level.

References

Read the full report for CVE-2026-21513 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)