Microsoft’s February 2026 Patch Tuesday shipped fixes for 58 vulnerabilities, including six zero-days confirmed as actively exploited and three publicly disclosed issues. Microsoft also fixed five “Critical” flaws in this release, with the remainder largely classed as Important. (BleepingComputer)
At-a-glance highlights
- Total fixed: 58 vulnerabilities (Microsoft-only count for the day; excludes Edge fixes shipped earlier). (BleepingComputer)
- Zero-days: 6 actively exploited; 3 were publicly disclosed at release. (BleepingComputer)
- Category split (largest buckets): 25 Elevation of Privilege, 12 Remote Code Execution, 7 Spoofing, 6 Information Disclosure, 5 Security Feature Bypass, 3 DoS. (BleepingComputer)
- Secure Boot: Microsoft continued rollout of updated Secure Boot certificates, replacing 2011 certificates expiring in late June 2026 (important for long-lived/air-gapped estates). (BleepingComputer)
Zero-days (actively exploited)
Publicly disclosed + exploited (3)
These are “patch now” for user endpoints because exploitation relies on lures (links/shortcuts/docs) rather than deep access.
- CVE-2026-21510 (Windows Shell Security Feature Bypass) — Used to bypass protections such as Windows prompts/SmartScreen-style warnings; requires user interaction (opening a link/shortcut). (Tenable®)
- CVE-2026-21513 (MSHTML/IE framework Security Feature Bypass) — Affects the legacy MSHTML stack still reachable on Windows; can be abused via crafted HTML/shortcut-style delivery to bypass security controls. (Tenable®)
- CVE-2026-21514 (Microsoft Word Security Feature Bypass) — Triggered by opening a crafted Word document; Microsoft notes the Preview Pane is not an attack vector, but it remains a realistic phish payload. (Tenable®)
Not publicly disclosed, but exploited in-the-wild (3)
These are especially relevant post-compromise (privilege escalation / disruption), and are high-priority for servers, jump hosts, and shared admin machines.
- CVE-2026-21519 (Desktop Window Manager EoP) — Local privilege escalation to SYSTEM; multiple sources highlight it as actively exploited. (Tenable®)
- CVE-2026-21533 (Windows Remote Desktop Services EoP) — Despite the name, reporting indicates this is a local privilege escalation scenario; CrowdStrike provided additional details about abuse patterns observed. (Tenable®)
- CVE-2026-21525 (Windows Remote Access Connection Manager DoS) — A locally reachable DoS that can disrupt remote access/VPN-style connectivity; unusual to see DoS in active exploitation, but it’s flagged as such in multiple reviews. (Tenable®)
Recommended patching priority (practical order)
- Endpoint “initial access” lures: CVE-2026-21510 / CVE-2026-21513 / CVE-2026-21514 (because they align with phish + one-click/open-file workflows). (Tenable®)
- Privilege-escalation chain blockers: CVE-2026-21519 and CVE-2026-21533 on admin workstations, jump boxes, RDS hosts, and shared servers. (Zero Day Initiative)
- Availability risk: CVE-2026-21525 where RasMan/RAS connectivity is operationally critical. (NVD)
- Secure Boot certificate updates: ensure compliance/testing in image management and offline fleets before late-June certificate expiry risk windows. (BleepingComputer)