Microsoft February 2026 Patch Tuesday Addresses 59 Vulnerabilities Including Six Actively Exploited Zero-Days
This summary outlines Microsoft’s February 2026 Patch Tuesday security updates, which patch 59 vulnerabilities across Windows and related components, including six zero-day flaws actively exploited in the wild, prompting urgent remediation for affected systems.
Overview of the Update
Microsoft’s monthly Patch Tuesday release on the second Tuesday of February 2026 delivers fixes for 59 Common Vulnerabilities and Exposures (CVEs) in its ecosystem. Among these, five are rated Critical, 52 Important, and two Moderate. The vulnerabilities span categories such as privilege escalation (25 instances), remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1). Six zero-days stand out due to confirmed in-the-wild exploitation, leading the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add them to its Known Exploited Vulnerabilities catalog with a March 3, 2026, patching deadline for federal agencies.
Key Zero-Day Vulnerabilities
CVE-2026-21510: Windows Shell Security Feature Bypass
This vulnerability, with a CVSS score of 8.8, represents a protection mechanism failure in the Windows Shell. It enables an unauthorized attacker to bypass security features over a network, requiring user interaction such as clicking a booby-trapped shortcut or link. Exploitation suppresses standard security dialogs for untrusted content, facilitating payload delivery without user suspicion. Technically, it exploits mishandling in shell link processing, where malformed .lnk files trigger bypasses in user interface security checks, potentially chaining into remote code execution via embedded scripts or binaries.
CVE-2026-21513: MSHTML Framework Security Feature Bypass
Also scored at CVSS 8.8, this flaw affects the MSHTML Framework used for rendering HTML in applications like Office. Attackers craft malicious HTML files or .lnk shortcuts that, when opened, evade MSHTML security checks. This weakens sandbox protections in browsers or Office apps, enabling code execution or phishing. The root cause lies in improper validation of HTML elements during parsing, allowing attackers to inject executable content that bypasses mark-of-the-web warnings and zone security policies.
CVE-2026-21514: Microsoft Word Security Feature Bypass
With a CVSS score of 5.5, this local bypass in Word processes untrusted inputs incorrectly in security decisions. Victims must open a malicious document, after which embedded or active content executes despite blocks. It stems from flawed input sanitization in Word’s macro and object handling, where attacker-controlled data influences Protected View or macro security enforcement.
CVE-2026-21525: Windows Remote Access Connection Manager Denial-of-Service
Scored at CVSS 6.2, this affects the RasMan service, allowing unauthenticated local attackers to crash it with low complexity. No privilege escalation or code execution occurs, but availability is severely impacted. The issue arises from buffer over-reads in connection handling protocols, triggered by malformed Remote Access Service (RAS) packets.
Additional Critical Issues
Azure components face two CVSS 9.8 vulnerabilities: CVE-2026-21531 in the Azure SDK, enabling remote code execution via deserialization flaws in API calls, and CVE-2026-24300 in Azure Front Door, a bypass in traffic routing that exposes backend services. The update also refreshes Secure Boot certificates ahead of 2011 certificate expirations in June 2026.
Technical Recommendations
Administrators should prioritize zero-day patches via Windows Update, verify installation through MBSA or PowerShell cmdlets like Get-HotFix, and monitor for exploitation indicators such as anomalous .lnk handling or RasMan crashes. Endpoint detection rules for CVE-2026-21510/21513 should flag network-delivered shortcuts with suspicious metadata.