[CDP-development] TLP:GREEN (Vulnerability Alert Notification): CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability

Wed Feb 11 12:30:08 PST 2026

Good afternoon,

The SOC Services team is reporting on the vulnerability CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability disclosed as part of Microsoft's February 2026 Patch Tuesday affecting Windows platforms. We are providing this in-depth information due to its active exploitation.
History: In early February 2026, Microsoft and allied threat researchers disclosed the MSHTML Framework security feature bypass vulnerability tracked as CVE-2026-21513. The vulnerability is currently assigned a CVSSv3 score of 8.8 (High) by Microsoft.

Affected Versions

  *   Windows 10 (versions 1607, 1809, 21H2, 22H2)
  *   Windows 11 (versions 22H2, 23H2, 24H2, and 26H1)
  *   Windows Server 2012,2012 R2, 2016, 2019, 2022, 2025

Fixed Versions

  *   February 2026 Cumulative Update

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513

Intelligence: On February 10th, 2026, CISA has listed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability: Low complexity, network exploitability
Complexity: Low
User Interaction: Yes
Remotely Exploitable: Yes
Proof of Concept: Not publicly available
Zero Day: Yes

Workarounds: There are no workarounds for this vulnerability. Patch immediately.
How it Works: An attacker delivers specially crafted HTML or related content that, when rendered by the MSHTML engine, triggers a flaw in the enforcement of security controls, allowing the attacker to bypass protection mechanisms and execute malicious code within the context of the logged-in user.
Post-Exploit Impact: A remote threat actor can bypass MSHTML security protections and execute malicious content in the context of the logged-in user. This can result in arbitrary code execution, data theft, installation of additional payloads, and potential lateral movement within the environment depending on the user's privilege level. (CWE-693: Protection Mechanism Failure)
Tenable Plugins: As of February 10th, 2026, Tenable's list of plugins is extensive. To see a full list of plugins please see the link here: https://www.tenable.com/cve/CVE-2026-21513/plugins.
Recommended Actions:

Date Added to KEV Catalog: February 10, 2026
Due Date for Remediation: March 3, 2026

  *   Apply Security Updates: Prioritize the installation of the February 2026 cumulative security updates provided by Microsoft for all affected versions.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image007.png at 01DC9B4D.B1ABDDD0] [cid:image006.png at 01DC9B4D.B1ABDDD0]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260211/d290c630/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 32625 bytes
Desc: image006.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260211/d290c630/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 280765 bytes
Desc: image007.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260211/d290c630/attachment-0003.png>