Microsoft February 2026 Patch Tuesday Addresses 50+ Vulnerabilities Including Six Exploited Zero-Days
This summary encapsulates Microsoft’s February 2026 Patch Tuesday release, which patches over 50 security vulnerabilities, prominently featuring six zero-day flaws actively exploited in the wild. These updates target critical components across Windows, Office, and related services, urging immediate deployment to mitigate ongoing threats from nation-state actors and cybercriminals.
Overview of the Patch Release
Microsoft’s monthly security update cycle, known as Patch Tuesday, delivered fixes for approximately 50 to 60 common vulnerabilities and exposures (CVEs) in February 2026. The payload includes vulnerabilities spanning privilege escalation, remote code execution, security feature bypasses, denial-of-service conditions, and more. Among these, six zero-days stand out due to confirmed in-the-wild exploitation, reported by entities like Google Threat Intelligence, Microsoft Threat Intelligence Center, and CrowdStrike. The U.S. Cybersecurity and Infrastructure Security Agency has cataloged all six in its Known Exploited Vulnerabilities list, mandating remediation for federal agencies by early March 2026.
Security Feature Bypass Zero-Days
Three of the zero-days enable attackers to circumvent protective mechanisms designed to alert users or sandbox untrusted content. CVE-2026-21513 targets the MSHTML/Trident rendering engine in Internet Explorer on Windows platforms. Exploitation involves crafting a malicious HTML file or Windows shortcut (.lnk) that manipulates how the browser and Windows Shell process content. When a user interacts with the file—often via social engineering—the flaw evades sandboxing and warning prompts, facilitating subsequent payload delivery like phishing or code execution.
CVE-2026-21514 affects Microsoft Word, allowing bypass of Object Linking and Embedding (OLE) mitigations in Microsoft 365 and Office suites. A specially crafted Office document processes untrusted inputs to disable protections against embedded active content, echoing recent emergency patches for similar issues. Attackers distribute these via email attachments, tricking users into opening them without triggering defenses.
The third, CVE-2026-21510, impacts Windows Shell, enabling bypass of SmartScreen and security prompts through malicious links or shortcuts. This network-vector flaw requires user interaction but suppresses consent dialogs, streamlining arbitrary file execution. All three were publicly disclosed prior to patching, heightening urgency as exploit code proliferates.
Privilege Escalation and Denial-of-Service Zero-Days
CVE-2026-21519 resides in the Desktop Window Manager (DWM), a core compositing service. On compromised systems, local attackers escalate to SYSTEM privileges without additional interaction. The vulnerability exploits mishandled memory or object states during window management, allowing arbitrary code execution at elevated levels. Post-exploitation, adversaries gain full host control for persistence, lateral movement, or data exfiltration.
CVE-2026-21525 targets the Windows Remote Access Connection Manager (RasMan), handling VPN and dial-up connections. An unprivileged local user crashes the service via a simple script or crafted input, yielding a denial-of-service (DoS). In enterprise settings with “fail-closed” VPN policies, this severs network access, isolating endpoints from management tools. Larger deployments risk cascading failures, ideal for distraction during parallel attacks on infrastructure. Routing and Remote Access Service (RRAS) servers warrant prioritized patching.
Finally, CVE-2026-21533 flaws Windows Remote Desktop Services (RDS). Exploits modify service configuration registry keys to insert attacker-controlled entries, enabling addition of privileged users like Administrators. CrowdStrike observed usage against North American targets since late December 2025, predicting increased adoption post-disclosure by exploit brokers.
Technical Deep Dive into Exploitation Mechanics
Common threads in these zero-days reveal patterns in Microsoft’s attack surface. Security feature bypasses like CVE-2026-21510 and CVE-2026-21513 leverage type confusion or improper input validation in shell and rendering pipelines. For instance, malformed .lnk files exploit ShellExecute APIs to redirect execution paths, skipping Mark-of-the-Web (MOTW) checks that flag downloads as risky. Mitigation historically relies on Application Verifier or sandboxing, now bolstered by updated heuristics in Windows Defender.
In RasMan (CVE-2026-21525), the DoS stems from unbounded buffer handling in connection state machines. Attackers send malformed Remote Access Service Control Manager (RASCM) packets, triggering exceptions that terminate worker threads without recovery. Forensics from public malware samples show PowerShell one-liners invoking rasapi32.dll calls to overflow queues.
RDS escalation (CVE-2026-21533) abuses registry virtualization gaps in Terminal Services. The exploit binary alters HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters keys, hijacking user enumeration during session initialization. Detection involves monitoring registry hives for anomalous DACL modifications via ETW logging.
Broader Implications and Additional Vulnerabilities
Beyond zero-days, patches address critical Azure flaws like CVE-2026-21531 in Azure SDK and CVE-2026-24300 in Azure Front Door, both scoring 9.8 on CVSS for remote unauthenticated attacks. Privilege escalations dominate (25 CVEs), followed by remote code execution (12), underscoring endpoint hardening needs. Organizations should sequence patching: zero-days first, then criticals, using tools like WSUS or Intune for staged rollout. Enhanced Secure Boot certificate rotation accompanies updates, preempting 2011 cert expirations.
Threat actors, including those tracked by MSTIC, favor these for initial access in supply chain and ransomware campaigns. Endpoint Detection and Response (EDR) rules targeting .lnk/Office anomalies and RasMan crashes enhance proactive defense.