Microsoft’s February security update is a big one. This latest “Patch Tuesday” fixes 58 vulnerabilities in total, six of which are zero-day flaws. As a reminder, a zero-day is a vulnerability that has been either actively exploited in the wild or publicly disclosed before an official fix is released by the developer.
As BleepingComputer reports, security flaws were found in the following categories: 25 elevation-of-privilege vulnerabilities, five security feature bypass vulnerabilities, 12 remote code-execution vulnerabilities, six information disclosure vulnerabilities, three denial of service vulnerabilities, and seven spoofing vulnerabilities. Three of the elevation of privilege vulnerabilities and two of the information disclosure vulnerabilities are considered “critical.” (These numbers do not include the three Microsoft Edge vulnerabilities patched earlier in February.)
Patch Tuesday updates are typically released around 10 am PT on the second Tuesday of every month, and your device should receive them automatically. BleepingComputer reports that this month’s release also includes Secure Boot certificate updates for 2011 certificates that are expiring in June.
Six zero-days patched in February
Three of the six actively exploited zero-days fixed in February are security feature bypass vulnerabilities:
-
CVE-2026-21510: This is a flaw the Windows Shell that allows an attacker to execute content without warning or gaining user consent, though the user does need to open a malicious link or shortcut file.
-
CVE-2026-21513: This MSHTML Framework vulnerability allows an unauthorized attacker to bypass a security feature over a network. Microsoft has not released details on how this flaw was exploited.
-
CVE-2026-21514: This vulnerability in Microsoft Word allows an attacker to bypasses OLE mitigations in Microsoft 365 and Microsoft Office once a user has opened a malicious Office file.
All three of the above flaws have been attributed to Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, and Google Threat Intelligence Group along with an anonymous researcher for CVE-2026-21510 and CVE-2026-21514.
What do you think so far?
Two of the zero-days are elevation of privilege vulnerabilities. CVE-2026-21519 is a Desktop Windows Manager flaw that allows an attacker to gain SYSTEM privileges, while CVE-2026-21533 is a Windows Remote Desktop Services flaw that allows an attacker to elevate privileges locally. The former has been attributed to MSTIC and MSRC, while the latter was discovered by the Advanced Research Team at CrowdStrike.
Finally, CVE-2026-21525 is a denial of service vulnerability in the Windows Remote Access Connection Manager that allows an unauthorized attacker to deny service locally. This flaw was discovered by the ACROS Security team with 0patch—it was reportedly found in a public malware repository in December 2025.
