Microsoft's February 2026 Patch Tuesday addresses 59 security flaws, including six zero-days actively exploited in the wild, with critical vulnerabilities in Windows Shell, MSHTML Framework, and Remote Desktop.
Microsoft has released its February 2026 security updates, addressing a total of 59 vulnerabilities across its software ecosystem, including six zero-day flaws that are currently being exploited in the wild. The patches come as part of the company's regular Patch Tuesday schedule and include fixes for critical security issues that could allow attackers to bypass security features, elevate privileges, and execute remote code.
Critical Vulnerabilities and Active Exploits
Among the 59 patched vulnerabilities, five have been rated as Critical, 52 as Important, and two as Moderate in severity. The most concerning aspect of this month's update is the inclusion of six zero-day vulnerabilities that Microsoft has confirmed are being actively exploited:
- CVE-2026-21510 (CVSS 8.8) - A protection mechanism failure in Windows Shell that allows unauthorized attackers to bypass security features over a network
- CVE-2026-21513 (CVSS 8.8) - A protection mechanism failure in MSHTML Framework enabling security feature bypass
- CVE-2026-21514 (CVSS 7.8) - Reliance on untrusted inputs in Microsoft Office Word for security decision bypass
- CVE-2026-21519 (CVSS 7.8) - Type confusion vulnerability in Desktop Window Manager allowing local privilege escalation
- CVE-2026-21525 (CVSS 6.2) - Null pointer dereference in Windows Remote Access Connection Manager causing denial of service
- CVE-2026-21533 (CVSS 7.8) - Improper privilege management in Windows Remote Desktop enabling local privilege escalation
Technical Analysis of Key Zero-Days
Security researchers have provided detailed insights into the nature of these vulnerabilities. Jack Bicer, director of vulnerability research at Action1, explained that CVE-2026-21513 represents a significant security risk: "It is caused by a protection mechanism failure that allows attackers to bypass execution prompts when users interact with malicious files. A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click."
Satnam Narang, senior staff research engineer at Tenable, noted that CVE-2026-21513 and CVE-2026-21514 share similarities with CVE-2026-21510. The primary distinction is that CVE-2026-21513 can be exploited using an HTML file, while CVE-2026-21514 requires a Microsoft Office file for exploitation.
Kev Breen, senior director of cyber threat research at Immersive, emphasized the severity of the privilege escalation vulnerabilities: "These are local privilege escalation vulnerabilities, which means an attacker must have already gained access to a vulnerable host. This could occur through a malicious attachment, a remote code execution vulnerability, or lateral movement from another compromised system."
Once an attacker exploits these vulnerabilities, they can elevate privileges to SYSTEM level, potentially disabling security tooling, deploying additional malware, or accessing sensitive credentials that could lead to full domain compromise.
Exploitation Context and Attribution
CrowdStrike, which reported CVE-2026-21533, has not attributed the exploitation activity to any specific adversary. However, the company warned that threat actors in possession of the exploit binaries are likely to increase their efforts to use or sell them in the near term.
Adam Meyers, head of Counter Adversary Operations at CrowdStrike, provided technical details on the exploitation method: "The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group."
Government Response and Mandates
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded swiftly to these threats by adding all six actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This action requires Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by March 3, 2026, providing a three-week window for remediation.
Additional Security Enhancements
Beyond the vulnerability patches, Microsoft is implementing broader security improvements across its ecosystem. The company is rolling out updated Secure Boot certificates to replace the original 2011 certificates, which will expire in late June 2026. These new certificates will be installed automatically through the regular monthly Windows update process.
Microsoft has warned that devices failing to receive the new Secure Boot certificates before the 2011 certificates expire will enter a degraded security state. While these systems will continue to function normally, they will become increasingly vulnerable to boot-level attacks and may face compatibility issues with newer operating systems and security features.
Windows Baseline Security Mode and User Transparency
The company is also introducing two significant security initiatives: Windows Baseline Security Mode and User Transparency and Consent. These initiatives are part of Microsoft's broader Secure Future Initiative and Windows Resiliency Initiative.
Windows Baseline Security Mode will move Windows toward operating with runtime integrity safeguards enabled by default. These safeguards ensure that only properly signed applications, services, and drivers are allowed to run, protecting the system from tampering or unauthorized changes.
User Transparency and Consent, analogous to Apple's macOS Transparency, Consent, and Control (TCC) framework, will introduce a consistent approach to handling security decisions. The operating system will prompt users when applications attempt to access sensitive resources such as files, camera, or microphone, or when they try to install unintended software.
Logan Iyer, Distinguished Engineer at Microsoft, emphasized the user-centric design: "These prompts are designed to be clear and actionable, and you'll always have the ability to review and change your choices later. Apps and AI agents will also be expected to meet higher transparency standards, giving both users and IT administrators better visibility into their behaviors."
Vulnerability Distribution and Impact
The distribution of vulnerability types in this month's update reveals the diverse attack surface that Microsoft continues to address:
- Privilege escalation: 25 vulnerabilities
- Remote code execution: 12 vulnerabilities
- Spoofing: 7 vulnerabilities
- Information disclosure: 6 vulnerabilities
- Security feature bypass: 5 vulnerabilities
- Denial-of-service: 3 vulnerabilities
- Cross-site scripting: 1 vulnerability
This comprehensive update underscores the ongoing challenges that software vendors face in securing complex, interconnected systems against increasingly sophisticated threat actors. Organizations are strongly advised to prioritize the deployment of these patches, particularly for the actively exploited zero-day vulnerabilities, to protect their systems from potential compromise.
Comments
Please log in or register to join the discussion