Microsoft Patches 6 Zero-Day Vulnerabilities, 58 Flaws in February 2026 Update
Microsoft has rolled out its February 2026 Patch Tuesday, addressing a total of 58 vulnerabilities. Among these, six are actively exploited zero-day vulnerabilities, including three that have been publicly disclosed. Additionally, this update fixes five critical vulnerabilities with several tied to elevation of privilege and information disclosure flaws.
Overview of February 2026 Vulnerabilities
The breakdown of vulnerabilities includes:
- 25 Elevation of Privilege vulnerabilities
- 5 Security Feature Bypass vulnerabilities
- 12 Remote Code Execution vulnerabilities
- 6 Information Disclosure vulnerabilities
- 3 Denial of Service vulnerabilities
- 7 Spoofing vulnerabilities
This count does not include earlier fixes related to Microsoft Edge, which were addressed earlier this month. Furthermore, Microsoft is rolling out new Secure Boot certificates as the original certificates from 2011 will expire in late June 2026. These certificates will be deployed based on device readiness to ensure a phased rollout.
Details of Actively Exploited Zero-Days
The following are the details of the six actively exploited zero-day vulnerabilities:
- CVE-2026-21510: A security feature bypass in Windows Shell that can be exploited through malicious links or shortcuts.
- CVE-2026-21513: An MSHTML framework security feature bypass that allows for exploitation through network access.
- CVE-2026-21514: A Microsoft Word security feature bypass that necessitates a user to open a malicious Office file.
- CVE-2026-21519: An elevation of privilege vulnerability in the Desktop Window Manager that allows unauthorized SYSTEM privileges.
- CVE-2026-21525: A denial of service vulnerability in the Windows Remote Access Connection Manager which can be exploited without user authentication.
- CVE-2026-21533: An elevation of privilege flaw in Windows Remote Desktop Services enabling attackers to elevate privileges locally.
Of these vulnerabilities, CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 have been publicly disclosed.
Contributions to Vulnerability Discovery
The discoveries of these flaws have been attributed to various teams, including the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and collaborators from Google Threat Intelligence Group.
Response and Further Updates
For assessments on the non-security updates released alongside, detailed reports on cumulative updates for Windows 11 and Windows 10 are available. Microsoft ensures regular updates that enhance both security and functionality.
System administrators are advised to act promptly in applying these updates to maintain the integrity and security of their systems.
