Microsoft's February 2026 Patch Tuesday addresses 58 security vulnerabilities, including 6 actively exploited zero-days and 3 publicly disclosed flaws, with updates spanning Windows, Azure, Office, and other Microsoft products.
Microsoft has released its February 2026 Patch Tuesday security updates, addressing a total of 58 vulnerabilities across its product ecosystem. The updates include fixes for six actively exploited zero-day vulnerabilities, three of which were publicly disclosed before patches were available.
Critical vulnerabilities and security updates
The February 2026 Patch Tuesday includes five "Critical" vulnerabilities, with three being elevation of privilege flaws and two information disclosure vulnerabilities. The distribution of vulnerabilities across categories includes:
- 25 Elevation of Privilege vulnerabilities
- 5 Security Feature Bypass vulnerabilities
- 12 Remote Code Execution vulnerabilities
- 6 Information Disclosure vulnerabilities
- 3 Denial of Service vulnerabilities
- 7 Spoofing vulnerabilities
Microsoft has also begun rolling out updated Secure Boot certificates to replace the original 2011 certificates that are set to expire in late June 2026. The company is implementing a phased rollout approach, delivering new certificates only to devices that show sufficient successful update signals.
Actively exploited zero-days
Windows Shell Security Feature Bypass (CVE-2026-21510)
Microsoft has patched an actively exploited Windows security feature bypass that can be triggered by opening specially crafted link or shortcut files. The vulnerability allows attackers to bypass Windows SmartScreen and Windows Shell security prompts by exploiting improper handling in Windows Shell components, enabling attacker-controlled content to execute without user warning or consent.
While Microsoft hasn't shared further details, this likely allows attackers to bypass the Mark of the Web (MoTW) security warnings that typically alert users to potentially unsafe files downloaded from the internet.
MSHTML Framework Security Feature Bypass (CVE-2026-21513)
An actively exploited MSHTML security feature bypass flaw in Windows has been addressed. The vulnerability involves protection mechanism failure in the MSHTML Framework, allowing unauthorized attackers to bypass security features over a network. No specific exploitation details have been provided.
Microsoft Word Security Feature Bypass (CVE-2026-21514)
Microsoft has fixed a security feature bypass flaw in Microsoft Word that is actively exploited. The vulnerability requires an attacker to send a malicious Office file and convince the user to open it. The update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls. Microsoft notes that the flaw cannot be exploited in the Office Preview Pane.
Desktop Window Manager Elevation of Privilege (CVE-2026-21519)
An actively exploited elevation of privileges flaw in the Desktop Window Manager has been patched. Successful exploitation of this vulnerability could allow an attacker to gain SYSTEM privileges. No details have been shared on how it was exploited.
Windows Remote Access Connection Manager Denial of Service (CVE-2026-21525)
Microsoft fixed an actively exploited denial of service flaw in the Windows Remote Access Connection Manager. The vulnerability involves a null pointer dereference that allows an unauthorized attacker to deny service locally. No details have been shared on why or how this flaw was exploited in attacks.
Windows Remote Desktop Services Elevation of Privilege (CVE-2026-21533)
An elevation of privileges flaw in Windows Remote Desktop Services has been addressed. The vulnerability involves improper privilege management that allows an authorized attacker to elevate privileges locally. No details have been shared on how this flaw was exploited.
Other vendor updates
Several other technology companies have released security updates and advisories in February 2026:
Adobe released security updates for Audition, After Effects, InDesign, Substance 3D, Adobe Lightroom Classic, and other software. None of the flaws are reported as exploited.
BeyondTrust released security updates for a critical RCE flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software.
CISA issued a new binding operational directive requiring federal agencies to remove network edge devices that have reached the end of support.
Cisco released security updates for Secure Web Appliance, Cisco Meeting Management, and additional products.
Fortinet released security updates for FortiOS and FortiSandbox.
Google released Android's February security bulletin, which includes no security fixes.
n8n fixed critical vulnerabilities that act as a patch bypass for the previously fixed CVE-2025-68613 RCE flaw.
SAP released February security updates for multiple products, including fixes for two critical vulnerabilities.
Microsoft has started rolling out built-in Sysmon functionality in Windows 11 insider builds, which many Windows administrators will find useful.
Complete vulnerability list
The February 2026 Patch Tuesday updates resolve numerous vulnerabilities across Microsoft's product portfolio. The complete list includes critical issues in Azure services, Windows components, Microsoft Office applications, and development tools. Organizations should prioritize patching the actively exploited zero-days and critical vulnerabilities affecting their environments.
Administrators are advised to test and deploy these updates promptly, particularly the fixes for the six actively exploited zero-day vulnerabilities, to protect their systems from known attack vectors.
Comments
Please log in or register to join the discussion