About Remote Code Execution – Windows Shell (CVE-2026-21510) vulnerability

About Remote Code Execution – Windows Shell (CVE-2026-21510) vulnerability. A vulnerability from the February Microsoft Patch Tuesday. The Windows Shell is the primary interface through which users interact with the Windows operating system. It includes visible elements such as the Desktop, Taskbar, and the Start Menu. Protection Mechanism Failure (CWE-693) allows an attacker to execute arbitrary code on the system by bypassing the Windows SmartScreen mechanism and Windows Shell warnings. To exploit the vulnerability, an attacker needs to convince a user to open a specially crafted shortcut file (.LNK) or follow a malicious link.

👾 Microsoft reports exploitation in the wild. The vulnerability has been listed in the CISA KEV since February 10.

💬 Microsoft classified the vulnerability as Security Feature Bypass, however it seems more appropriate to classify it as Remote Code Execution.

🛠 No public exploits are available yet.

На русском

About Remote Code Execution – Microsoft Word (CVE-2026-21514) vulnerability

Leave a reply

About Remote Code Execution – Microsoft Word (CVE-2026-21514) vulnerability. This vulnerability is from February Microsoft Patch Tuesday. Reliance on Untrusted Inputs in a Security Decision (CWE-807) in Microsoft Office Word allows an unauthenticated attacker to bypass OLE security features when opening a malicious file. The vulnerability is NOT exploitable via the Preview Pane.

👾 Microsoft reports that the vulnerability is being exploited in the wild. It has been listed in CISA KEV since February 10.

💬 Microsoft has classified the vulnerability as a Security Feature Bypass, but given that exploiting such vulnerabilities can lead to arbitrary code execution, it seems reasonable to classify it as Remote Code Execution, similar to the actively exploited CVE-2026-21509.

🛠 No public exploits are available yet.

На русском

February Linux Patch Wednesday

Leave a reply

February Linux Patch Wednesday. In February, Linux vendors addressed 632 vulnerabilities – 1.5× fewer than in January, including 305 in the Linux Kernel. Two vulnerabilities show signs of in-the-wild exploitation:

🔻 RCE – Chromium (CVE-2026-2441)
🔻 InfDisc – MongoDB “MongoBleed” (CVE-2025-14847)

Public exploits are available or suspected for 56 more vulnerabilities. Notable ones include:

🔸 RCE – OpenSSL (CVE-2025-15467, CVE-2025-69421, CVE-2025-11187), pgAdmin (CVE-2025-12762, CVE-2025-13780), DiskCache (CVE-2025-69872), PyTorch (CVE-2026-24747), Wheel (CVE-2026-24049)
🔸 AuthBypass – M/Monit (CVE-2020-36968)
🔸 EoP – Grafana (CVE-2025-41115, CVE-2026-21721), M/Monit (CVE-2020-36969)
🔸 AFR – Proxmox Virtual Environment (CVE-2024-21545)
🔸 SFB – Chromium (CVE-2026-1504), Roundcube (CVE-2026-25916)

🗒 Full Vulristics report

На русском

February “In the Trend of VM” (#24): vulnerabilities in Microsoft products

Leave a reply

February “In the Trend of VM” (#24): vulnerabilities in Microsoft products. A traditional monthly roundup of trending vulnerabilities. This time, compact and all-Microsoft.

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

In total, two vulnerabilities:

🔻 RCE – Microsoft Office (CVE-2026-21509)
🔻 InfDisc – Desktop Window Manager (CVE-2026-20805)

🟥 Trending Vulnerabilities Portal

На русском

February Microsoft Patch Tuesday

Leave a reply

February Microsoft Patch Tuesday. A total of 55 vulnerabilities, half as many as in January. There are as many as six (❗️) vulnerabilities being exploited in the wild:

🔻 SFB – Windows Shell (CVE-2026-21510)
🔻 SFB/RCE – Microsoft Word (CVE-2026-21514)
🔻 SFB – MSHTML Framework (CVE-2026-21513)
🔻 EoP – Windows Remote Desktop Services (CVE-2026-21533)
🔻 EoP – Desktop Window Manager (CVE-2026-21519)
🔻 DoS – Windows Remote Access Connection Manager (CVE-2026-21525)

There is also one vulnerability with a public exploit:

🔸 DoS – libjpeg (CVE-2023-2804)

Among the remaining vulnerabilities, the following stand out:

🔹 RCE – Windows Notepad (CVE-2026-20841)
🔹 Spoofing – Outlook (CVE-2026-21511)
🔹 EoP – Windows Kernel (CVE-2026-21231, CVE-2026-21239, CVE-2026-21245), Windows AFD.sys (CVE-2026-21236, CVE-2026-21238, CVE-2026-21241)

🗒 Full Vulristics report

На русском

I released Vulristics 1.0.11: added Server-Side Request Forgery (SSRF) as a distinct vulnerability type

Leave a reply

I released Vulristics 1.0.11: added Server-Side Request Forgery (SSRF) as a distinct vulnerability type. I try to use a very small set of base vulnerability types (around 20) in Vulristics and map everything else to them. With a few exceptions, these are the same types Microsoft uses – and Microsoft doesn’t like SSRF.

SSRF is a vulnerability that allows an attacker to make network requests to arbitrary destinations.

Microsoft usually classifies SSRFs as EoP, Information Disclosure, or RCE. 🤯

I used to map SSRF to Command Injection, based on the logic that crafting a request can be considered a form of command execution. But, of course, that’s… questionable. 🙄

So I decided to add a dedicated SSRF type (with a severity of 0.87) and stopped doing mental gymnastics. 🙂 For the icon, I drew an anvil (a play on words with “forge”). I also uploaded the icon to avleonov.com so that Vulristics HTML reports render correctly.

На русском

About Remote Code Execution – Microsoft Office (CVE-2026-21509) vulnerability

Leave a reply

About Remote Code Execution – Microsoft Office (CVE-2026-21509) vulnerability. The vulnerability was urgently fixed on January 26, outside the regular Microsoft Patch Tuesday. Microsoft classified it as a Security Feature Bypass, but in fact, it is more of a Remote Code Execution. The vulnerability involves bypassing OLE (Object Linking and Embedding) security features in Microsoft 365 and Microsoft Office. It is exploited when opening malicious Office files (Preview Pane is safe).

⚙️ In Office 2021+, protection is enabled automatically via server-side changes after restarting the applications. For Office 2016/2019, updates must be installed or registry changes applied.

👾 Microsoft reports that the vulnerability is being exploited in the wild.

🛠 No public exploits are available yet.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

About Remote Code Execution – Windows Shell (CVE-2026-21510) vulnerability

About Remote Code Execution – Microsoft Word (CVE-2026-21514) vulnerability

February Linux Patch Wednesday

February “In the Trend of VM” (#24): vulnerabilities in Microsoft products

February Microsoft Patch Tuesday

I released Vulristics 1.0.11: added Server-Side Request Forgery (SSRF) as a distinct vulnerability type

About Remote Code Execution – Microsoft Office (CVE-2026-21509) vulnerability