@Ericlaw
Ah, so it looks like CVE-2024-21412 is to address a bypass for CVE-2023-36025, which was the fact that remote targets inside of a ZIP didn't get SmartScreen love.
The fix for CVE-2023-36025 didn't consider the case where a .URL file points to a .URL file.
https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html