Inside the Fix: Analysis of In-the-Wild Exploit of CVE-2026-21513

Description

This analysis examines CVE-2026-21513, a security bypass vulnerability in Microsoft's MSHTML framework, patched in February 2026. The flaw, actively exploited by Russian state-sponsored actor APT28, affects all Windows versions and has a CVSS score of 8.8. Using PatchDiff-AI, researchers identified the root cause in ieframe.dll's hyperlink navigation handling, allowing arbitrary file execution outside the browser's security context. The exploit involves a crafted Windows Shortcut file embedding HTML, communicating with APT28-linked infrastructure. It bypasses security measures like Mark of the Web and IE Enhanced Security Configuration through nested iframes and DOM manipulation, ultimately invoking ShellExecuteExW for out-of-sandbox execution.