Microsoft February 2026 Patch Tuesday: Six Zero-Days Raise the Alarm

Microsoft’s February 2026 Patch Tuesday has arrived with a familiar-looking headline and an unusually urgent subtext. While the overall volume of fixes is typical for a February release, the number of actively exploited zero-day vulnerabilities stands out sharply this month, making this a high-priority update for enterprise environments.

February 2026 Patch Tuesday at a glance

In total, Microsoft released 58 Microsoft CVEs, which rises to 62 CVEs when third‑party and Chromium‑related fixes are included. Six vulnerabilities confirmed as exploited in the wild at the time of release, three of which were also publicly disclosed before patches were available. Five vulnerabilities are rated Critical, two Moderate, and the remainder Important in severity.

What makes this month exceptional is not the volume, but the exploit activity. Six exploited bugs is an unusually high number, especially compared to January, which had only one exploited vulnerability despite patching nearly twice as many CVEs.

Six actively exploited zero-days

All six exploited vulnerabilities affect core Windows or Office components, and several fall into the category of security feature bypasses, which can be chained with other bugs to enable full compromise.

The six exploited zero-days fixed in February 2026 are:

• CVE‑2026‑21510 – Windows Shell Security Feature Bypass
  This flaw allows attackers to bypass Windows security prompts, including protections associated with downloaded files. Exploitation requires user interaction, such as opening a specially crafted link or shortcut file, but successful exploitation may allow attacker‑controlled content to run without warning.
  
• CVE‑2026‑21513 – MSHTML Framework Security Feature Bypass
  Affecting the MSHTML engine, this vulnerability allows attackers to bypass built‑in security mechanisms over the network. While exploitation details are limited, the presence of MSHTML in Windows means the attack surface remains broader than many administrators expect.
  
• CVE‑2026‑21514 – Microsoft Word Security Feature Bypass
  This flaw enables attackers to bypass OLE mitigations in Microsoft Word by tricking users into opening a malicious Office document. Microsoft notes that the Preview Pane is not an attack vector, but user interaction is still sufficient for exploitation.
  
• CVE‑2026‑21519 – Desktop Window Manager Elevation of Privilege
  A local elevation‑of‑privilege vulnerability in the Desktop Window Manager (DWM) that can allow attackers to gain SYSTEM‑level privileges after initial access. DWM has now appeared in exploited vulnerabilities in consecutive Patch Tuesday releases, reinforcing its status as a recurring target.
  
• CVE‑2026‑21525 – Windows Remote Access Connection Manager Denial of Service
  A locally exploitable denial‑of‑service vulnerability caused by a null pointer dereference. While less severe than privilege escalation or RCE, it is still confirmed as exploited in the wild.
  
• CVE‑2026‑21533 – Windows Remote Desktop Services Elevation of Privilege
  This vulnerability allows authenticated attackers to escalate privileges to SYSTEM via Remote Desktop Services.

Critical vulnerabilities beyond the zero-days

In addition to the exploited flaws, Microsoft patched five Critical vulnerabilities. These include issues affecting Azure services, where successful exploitation could lead to information disclosure or privilege escalation in cloud environments.

While none of the Azure vulnerabilities are currently listed as exploited, their Critical severity means cloud administrators should prioritize validation and deployment, particularly in multi‑tenant or internet‑facing deployments.

What IT admins should do now

This is a “patch quickly” month for Windows and Office environments. The concentration of exploited zero‑days, particularly security feature bypasses and elevation‑of‑privilege flaws, means delaying updates materially increases risk.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary, as hackers start to work out how to weaponize newly reported vulnerabilities.

A best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.