You are currently viewing Microsoft’s February 2026 Patch Tuesday: Six Zero-Days, 58 flaws Patched Amid Growing Exploit Activity

Microsoft’s February 2026 Patch Tuesday: Six Zero-Days, 58 flaws Patched Amid Growing Exploit Activity

  • Post author:
  • Reading time:6 mins read

The second Tuesday of the month has arrived, bringing another significant wave of Microsoft security updates. In February 2026, Microsoft issued patches for 58 vulnerabilities, including six actively exploited zero-day flaws and five rated Critical.

As part of this month’s release, Microsoft has also begun rolling out updated Secure Boot certificates ahead of the June 2026 expiration of the legacy 2011 certificates — a major infrastructure milestone affecting Windows boot integrity across devices.

Just like in previous months, Elevation of Privilege (EoP) flaws dominate the vulnerability categories, followed by Remote Code Execution (RCE) and Security Feature Bypass issues.

Summary Overview

CategoryNumber of Flaws
Total Vulnerabilities58
Zero-Days (Actively Exploited)6
Critical5
Elevation of Privilege (EoP)25
Remote Code Execution (RCE)12
Security Feature Bypass5
Information Disclosure6
Spoofing7
Denial of Service (DoS)3

Key takeaway:
Privilege escalation vulnerabilities remain the most common attack vector—accounting for almost half of this month’s patches—while security feature bypass flaws continue to play a major role in real-world phishing and malware delivery campaigns.

Zero-Day Vulnerabilities (Actively Exploited)

Microsoft confirmed six zero-days were exploited in the wild prior to patch availability. Three of them were also publicly disclosed.

CVE-2026-21510 — Windows Shell Security Feature Bypass

This zero-day enables attackers to slip past Windows SmartScreen and Shell warning dialogs simply by persuading a victim to open a malicious shortcut or link file, allowing untrusted code to launch without the expected protections. Microsoft attributes the issue to flawed processing inside Windows Shell components, which mishandles certain crafted file types and suppresses safety prompts that would ordinarily alert users. Because the attack vector relies on social engineering rather than technical complexity, it fits well into phishing and malware-delivery campaigns that aim to bypass Mark-of-the-Web restrictions. Discovery of this flaw by multiple Microsoft security teams alongside Google’s Threat Intelligence Group suggests widespread monitoring of live exploitation activity and coordinated defensive analysis across vendors.

CVE-2026-21513 — MSHTML Framework Security Feature Bypass

A weakness in the MSHTML rendering framework allows attackers to circumvent a critical protection layer by distributing manipulated HTML or LNK files that exploit a gap in the engine’s verification logic. The bypass can be triggered remotely, making it suitable for email-based delivery or other forms of internet-facing distribution where documents or HTML content are opened by users. Microsoft intentionally provided minimal technical information, a move typically reserved for vulnerabilities already being leveraged in targeted intrusions, to prevent threat actors from replicating the exploit before patches are widely applied. The identification of this flaw by various Microsoft teams and Google’s intelligence unit highlights how it surfaced in multi-source telemetry, reinforcing warnings that attackers were already experimenting with or operationalizing the exploit.

CVE-2026-21514 — Microsoft Word Security Feature Bypass

This vulnerability affects Microsoft Word’s handling of embedded components and allows certain malicious documents to sidestep OLE-based defensive measures once a user opens them, enabling attackers to introduce unsafe content into trusted Office workflows. Although the exploitation requires user interaction, the bypass is potent because it undermines a core safety boundary designed to block misuse of embedded controls within documents. Microsoft emphasized that the issue does not activate through the Preview Pane, which slightly reduces opportunistic attacks but still leaves users vulnerable when directly opening files from email or cloud storage.

CVE-2026-21519 — Desktop Window Manager (DWM) Elevation of Privilege

This Desktop Window Manager flaw provides a path for local attackers to escalate privileges to SYSTEM, allowing full administrative control whenever they already have a foothold on the machine. Even though Microsoft withheld deeper technical specifics, vulnerabilities of this nature are frequently employed during the later stages of an intrusion to disable defenses, pivot across the environment, or run privileged payloads silently. The detection of the issue by Microsoft’s threat intelligence units suggests that the exploit surfaced during active incident monitoring, likely at the same time as the other zero-day exploitation chains identified this month.

CVE-2026-21525 — Remote Access Connection Manager Denial of Service

This vulnerability stems from a null pointer dereference inside the Remote Access Connection Manager (RASMAN), allowing an attacker with local access to crash the service and interrupt remote-access connectivity such as VPN sessions. Although the impact is limited to denial-of-service rather than code execution, disrupting RAS functionality can hinder enterprise operations, especially in organizations relying heavily on remote connectivity for workforce access. ACROS Security, the reporting party, discovered the exploit inside a publicly accessible malware repository, indicating that the flaw was already circulating among threat actors or being tested for use in disruptive campaigns.

CVE-2026-21533 — Remote Desktop Services Elevation of Privilege

This Remote Desktop Services zero-day allows attackers to elevate privileges to SYSTEM under specific conditions, making it extremely valuable in environments that rely on RDS for administrative sessions or host multiple remote users. An attacker who compromises a low-privileged RDP session could use this flaw to gain full control over a system, facilitating lateral movement, credential harvesting, or persistence mechanisms typically associated with advanced intrusion campaigns. The vulnerability was identified by CrowdStrike, pointing to real-world detection during incident response operations or threat-hunting engagements where privilege escalation within RDP workflows was observed.

Affected Products

February’s patch wave affects nearly all major Microsoft components, including:

  • Windows (client & server)
  • Microsoft Office & Microsoft 365
  • Azure services & Windows Defender
  • .NET, GitHub Copilot, Visual Studio, Power BI
  • Internet Explorer, MSHTML, SmartScreen, Windows Shell
  • Windows Secure Boot

The full list of affected products is as follows:

  • .NET
  • Azure Arc
  • Azure Compute Gallery
  • Azure DevOps Server
  • Azure Front Door (AFD)
  • Azure Function
  • Azure HDInsights
  • Azure IoT SDK
  • Azure Local
  • Azure SDK
  • Desktop Window Manager
  • Github Copilot
  • GitHub Copilot and Visual Studio
  • GitHub Copilot and Visual Studio Code
  • Mailslot File System
  • Microsoft Defender for Linux
  • Microsoft Edge (Chromium-based)
  • Microsoft Edge for Android
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Office Excel
  • Microsoft Office Outlook
  • Microsoft Office Word
  • MSHTML Framework
  • Power BI
  • Role: Windows Hyper-V
  • Windows Ancillary Function Driver for WinSock
  • Windows App for Mac
  • Windows Cluster Client Failover
  • Windows Connected Devices Platform Service
  • Windows GDI+
  • Windows HTTP.sys
  • Windows Kernel
  • Windows LDAP – Lightweight Directory Access Protocol
  • Windows Notepad App
  • Windows NTLM
  • Windows Remote Access Connection Manager
  • Windows Remote Desktop
  • Windows Shell
  • Windows Storage
  • Windows Subsystem for Linux
  • Windows Win32K – GRFX

Remediation Steps

  • Apply fixes for actively exploited CVEs immediately.
  • Organizations should verify rollout compatibility, especially in environments with custom boot policies.
  • With 25 Elevation of Privilege flaws addressed, ensure logging and alerting for suspicious elevation activity.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.