Micropatches released for Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510)

February 2026 Windows Updates brought a patch for CVE-2026-21510, a security feature bypass in Windows Explorer that allowed a Windows shortcut to launch a remotely hosted DLL without any warning to the user even if mark of the web was present.

The vulnerability was found to be exploited in the wild, and a sample was uploaded to malware repositories, which allowed us to reproduce the issue and create patches for legacy Windows users.

 

The Vulnerability 

Normally, when a user double-clicks a Windows shortcut (LNK) file with the mark-of-the-web or located on an untrusted share, Windows Explorer pops up a security warning about the shortcut's untrusted source.

The vulnerability at hand allowed a malicious LNK file, either one copied to the user's computer (thus having the mark-of-the-web) or one located on an untrusted remote share, to bypass this security warning and immediately load and execute a remotely-hosted attacker's DLL.

The flaw was specifically in the way the "All Control Panel Items" GUID was processed. This GUID is normally used for launching Control Panel items, which - in the background - employs shortcut files.

 

Microsoft's Patch

Microsoft patched this issue by adding a whole new data structure to the windows.storage.dll code, which specifically handles "Control Panel" shortcut files and defines a custom callback that checks both the shortcut file and its target for mark-of-the-web. Before the patch, only the target (C:\Windows\System32\rundll32.dll) was checked for mark-of-the-web.

 

Our Patch

We took a slightly simpler approach. Our patch injects into the CShellLink::_InvokeDirect function and checks a local variable that contains the path to the shortcut file. First, we check if it ends with ".lnk", and if it does, we perform a MapUrlToZone call on it. This both detects if the file path is an untrusted network location, and if the file contains the mark-of-the-web. If any of these is true, our patch pops up a warning telling the user that the file came from an untrusted location and that it may be malicious.

Our use of MapUrlToZone allows the user to add a shared folder address to trusted sites under Internet Options, and disable this warning on any shares they trust. 

Let's see our patch in action. First, with 0patch disabled, the user double-clicks on a shortcut file hosted on a remote untrusted share (shares identified by IP address instead of a "dotless" host name are untrusted by default). This results in an immediate execution of a remote DLL under attacker's control, which for the purpose of our demonstration launches the Calculator.

Then, the same is done with 0patch enabled. In this case, double-clicking on the remote shortcut results in a security warning, where the user can decide whether to let the shortcut execute or not.

 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated
10. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
12. Windows Server 2012 - fully updated with no ESU or ESU 1
13. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.