February 2026 Patch Tuesday: Six Active Zero-Days & 53 Other Flaws Addressed

Microsoft released its February 2026 Patch Tuesday security updates, resolving a total of 59 vulnerabilities across Windows and multiple Microsoft products and components.

The release includes six zero-day vulnerabilities, all of which were confirmed as actively exploited in the wild. Three of these zero-days had also been publicly disclosed prior to the patch. In addition, five vulnerabilities received a Critical severity rating, signaling a higher risk of impact if left unaddressed.

Elevation of Privilege vulnerabilities dominated this month’s release, accounting for over 40% of all patches. Remote Code Execution vulnerabilities comprised approximately 20% of the fixes, with a notable concentration in GitHub Copilot, Visual Studio, Azure services, and Hyper-V components.

Zero-Day Vulnerabilities Addressed in February 2026

The February 2026 Patch Tuesday release addressed six actively exploited zero-day vulnerabilities, marking an unusually high number of in-the-wild exploits for a single monthly update. Three of these flaws were also publicly disclosed before patches became available.

• CVE-2026-21510 (CVSS 8.8) – Windows Shell Security Feature Bypass
• CVE-2026-21513 (CVSS 8.8) – Internet Explorer Security Feature Bypass
• CVE-2026-21514 (CVSS 7.8) – Microsoft Word Security Feature Bypass
• CVE-2026-21519 (CVSS 7.8) – Desktop Window Manager Elevation of Privilege
• CVE-2026-21533 (CVSS 7.8) – Windows Remote Desktop Services Elevation of Privilege
• CVE-2026-21525 (CVSS 6.2) – Windows Remote Access Connection Manager Denial of Service

Actively Exploited Zero-Days: Security Feature Bypass Cluster

Three of the six actively exploited vulnerabilities involve security feature bypasses, suggesting coordinated exploitation potentially by the same threat actors or in related attack campaigns.

CVE-2026-21510 – Windows Shell Security Feature Bypass

This vulnerability allows attackers to bypass Windows SmartScreen and Windows Shell security prompts by convincing users to open a malicious link or shortcut file. Microsoft rated the issue as Important with a CVSS score of 8.8. The flaw was publicly disclosed prior to patch availability.

According to Microsoft’s advisory, successful exploitation requires only a single user click, making it particularly dangerous for phishing campaigns. Microsoft credited Google Threat Intelligence Group (GTIG), its internal security teams, and an anonymous researcher for discovering the vulnerability, suggesting it may have been used in sophisticated attacks.

CVE-2026-21513 – Internet Explorer Security Feature Bypass

Despite Internet Explorer’s long deprecation, this security feature bypass in the MSHTML Framework continues to pose risks. The vulnerability can be exploited by convincing victims to open a specially crafted HTML or LNK file, potentially leading to code execution. With a CVSS score of 8.8, this flaw was both publicly disclosed and actively exploited before patches were available.

The vulnerability was discovered by Microsoft and GTIG, further supporting the theory that these flaws may be part of coordinated exploitation campaigns.

CVE-2026-21514 – Microsoft Word Security Feature Bypass

This vulnerability bypasses OLE mitigations in Microsoft 365 and Office, exposing users to vulnerable COM/OLE controls when opening malicious Office files. Microsoft assigned it a CVSS score of 7.8 and confirmed active exploitation. The Preview Pane is not an attack vector, but users frequently open documents received via email, making this a practical threat.

Discovery was credited to Google Threat Intelligence Group, Microsoft’s internal security teams, and an anonymous researcher. The vulnerability was publicly disclosed prior to patching.

Elevation of Privilege Zero-Days

CVE-2026-21519 – Desktop Window Manager Elevation of Privilege

This marks the second consecutive month that a Desktop Window Manager (DWM) elevation of privilege vulnerability has been exploited in the wild, suggesting the January patch may not have fully resolved the underlying issue. The vulnerability allows local authenticated attackers to gain SYSTEM-level privileges with a CVSS score of 7.8.

DWM is responsible for rendering the Windows graphical user interface, making it a high-value target for attackers seeking to establish deep system access. This flaw is typically paired with code execution vulnerabilities in multi-stage attack chains.

CVE-2026-21533 – Windows Remote Desktop Services Elevation of Privilege

Despite the “Remote” designation, this is a local vulnerability stemming from improper privilege management in Windows Remote Desktop Services. Successful exploitation allows attackers to escalate to SYSTEM privileges with a CVSS score of 7.8.

CrowdStrike was credited with discovering this vulnerability. Systems running Remote Desktop Services represent attractive targets for lateral movement after initial compromise.

Denial of Service Zero-Day

CVE-2026-21525 – Windows Remote Access Connection Manager Denial of Service

It is unusual to see DoS vulnerabilities under active exploitation, but this null pointer dereference in the Windows Remote Access Connection Manager (RasMan) allows unauthorized attackers to deny service locally. The vulnerability received a Moderate severity rating with a CVSS score of 6.2.

Acros Security’s 0patch team was credited with discovering this flaw. The vulnerability could disrupt VPN connections and remote access capabilities, particularly impacting remote workers and enterprise connectivity.

CISA Calls for Action

Due to confirmed active exploitation, CISA added all six actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, setting a remediation due date of March 3, 2026 for federal agencies and organizations.

Enhance Vulnerability Management with SOCRadar

With six actively exploited zero-days in a single month, organizations face significant challenges in prioritizing remediation efforts. SOCRadar’s Vulnerability Intelligence, delivered through its Cyber Threat Intelligence module, helps security teams focus on what matters by adding real-world context such as exploitation status, threat actor interest, and observed attack patterns.

With SOCRadar, your security team can:

• Rank vulnerabilities more effectively by correlating severity, affected vendors and products, and live exploit indicators
• Track exploit activity and associate CVEs with ongoing or emerging threat campaigns to support risk-based decisions
• Observe how vulnerabilities progress after disclosure, from early proof-of-concept code to active abuse, enabling more confident remediation planning

Critical Vulnerabilities in February 2026 Patch Tuesday

Microsoft addressed five critical-severity vulnerabilities as part of its February 2026 Patch Tuesday updates, primarily impacting Azure cloud services and confidential computing environments.

Azure Cloud Service Vulnerabilities:

• CVE-2026-24300 (CVSS 9.8) – Azure Front Door Elevation of Privilege
• CVE-2026-24302 (CVSS 8.6) – Azure Arc Elevation of Privilege
• CVE-2026-21532 (CVSS 8.2) – Azure Function Information Disclosure

According to Microsoft’s advisories, CVE-2026-24300, CVE-2026-24302, and CVE-2026-21532 have already been fully mitigated by Microsoft on the service side. These CVEs are published for transparency purposes, and no customer action is required for these specific Azure vulnerabilities.

Azure Confidential Computing:

• CVE-2026-21522 (CVSS 6.7) – Microsoft ACI Confidential Containers Elevation of Privilege
• CVE-2026-23655 (CVSS 6.5) – Microsoft ACI Confidential Containers Information Disclosure

These two vulnerabilities affect Azure Container Instances (ACI) Confidential Containers. CVE-2026-21522 enables container escape scenarios, while CVE-2026-23655 could disclose secret tokens and keys. Organizations using ACI confidential computing should prioritize these patches.

High-Risk Vulnerabilities to Watch in February Patch Tuesday

Beyond the critical and zero-day fixes, Microsoft identified several vulnerabilities assessed as more likely to be exploited:

Azure and Development Tools:

• CVE-2026-21531 (CVSS 9.8) – Azure SDK for Python Remote Code Execution
• CVE-2026-21256 (CVSS 8.8) – GitHub Copilot and Visual Studio Remote Code Execution
• CVE-2026-21516 (CVSS 8.8) – GitHub Copilot for JetBrains Remote Code Execution
• CVE-2026-21523 (CVSS 8.0) – GitHub Copilot and Visual Studio Code Remote Code Execution

CVE-2026-21531 tops the severity chart with a CVSS score of 9.8. The vulnerability allows remote, unauthenticated attackers to execute code via a maliciously crafted continuation token in systems using the Azure SDK for Python.

The GitHub Copilot and Visual Studio vulnerabilities involve command injection flaws, including prompt injection techniques that can trick AI agents into executing malicious code. Developers represent high-value targets due to their access to sensitive credentials, API keys, and privileged cloud infrastructure.

Core Windows Components:

• CVE-2026-21231 (CVSS 7.8) – Windows Kernel Elevation of Privilege
• CVE-2026-21238 (CVSS 7.8) – Windows Ancillary Function Driver for WinSock Elevation of Privilege
• CVE-2026-21241 (CVSS 7.0) – Windows Ancillary Function Driver for WinSock Elevation of Privilege
• CVE-2026-21253 (CVSS 7.0) – Mailslot File System Elevation of Privilege

These vulnerabilities allow local attackers to escalate to SYSTEM privileges, enabling follow-on attacks after initial compromise.

Microsoft Office:

• CVE-2026-21511 (CVSS 7.5) – Microsoft Outlook Spoofing

This deserialization vulnerability in Outlook can be triggered via crafted emails, with the Preview Pane serving as an attack vector. The flaw could be used to relay NTLM credentials, potentially leading to credential disclosure. Microsoft assessed this as “Exploitation More Likely.”

While none of the non-zero-day vulnerabilities were confirmed as actively exploited at the time of release, their “more likely” designation signals a higher risk of weaponization. Organizations should prioritize patching affected systems, particularly developer workstations, internet-facing Azure services, and endpoints with elevated privilege workflows.

Also Important: Microsoft Patches Notepad RCE in February 2026 Patch Tuesday

As part of the February 2026 Patch Tuesday cycle, Microsoft addressed CVE-2026-20841, a remote code execution flaw affecting the modern Microsoft Store version of Windows Notepad.

The vulnerability (CVSS 8.8) could allow an attacker to execute code if a user opens a specially crafted Markdown (.md) file and clicks a malicious embedded link. The issue stems from improper validation of protocol handlers within the Store-based Notepad app. The legacy Notepad.exe bundled with Windows is not affected.

The flaw impacts Notepad versions prior to 11.2510. Organizations should ensure the app is updated via the Microsoft Store, as the fix is not delivered through standard Windows cumulative updates.

Although Microsoft has not reported active exploitation, enterprises should verify Store app updates are included in patch management workflows to reduce exposure.

Secure Boot Certificate Updates Continue

As part of the February updates, Microsoft continues rolling out replacement Secure Boot certificates to address the expiration of original 2011 certificates set to expire in June 2026. This phased rollout includes targeting data to identify devices ready to receive new certificates, ensuring a safe deployment across the Windows ecosystem.

The certificates being replaced include:

• Microsoft Corporation KEK CA 2011 (expires June 2026)
• Microsoft Corporation UEFI CA 2011 (expires June 2026)
• Microsoft Windows Production PCA 2011 (expires October 2026)

Apply Microsoft’s Security Updates

Microsoft’s February 2026 security updates address vulnerabilities across widely used products, many of which are directly exposed to user interaction or internet-facing infrastructure. Systems affected by these flaws should be patched without delay, with priority given to:

1. Systems with the six actively exploited zero-days
2. Developer workstations using GitHub Copilot, Visual Studio, or Azure SDK
3. Servers running Remote Desktop Services
4. Azure confidential computing environments
5. Endpoints with Microsoft Office applications

See Microsoft’s February 2026 release notes for the full details of patched CVEs.

Applying updates, however, does not always eliminate risk. Some assets may remain exposed, partially patched, or newly reachable after changes in infrastructure or configuration. SOCRadar Attack Surface Management (ASM) continuously identifies internet-facing assets, detects unpatched systems, and surfaces configuration weaknesses that attackers commonly exploit.

When ASM is integrated into routine patch workflows, your security team can:

• Identify assets that were missed or exposed after patch deployment
• Confirm whether critical fixes were applied across the external attack surface
• Focus remediation efforts on assets most likely to be targeted

Pairing Microsoft patching with continuous external visibility helps teams understand what is truly secured and what still needs attention.