Microsoft has released its February 2026 Patch Tuesday updates, addressing a total of 58 security vulnerabilities across Windows and related products.
The update is especially critical, as it fixes six actively exploited zero-day flaws, three of which had already been publicly disclosed before patches were available.
Among the 58 vulnerabilities, Microsoft has classified five as “Critical.” These include three elevation of privilege flaws and two information disclosure issues. The remaining bugs are spread across multiple categories, with 25 elevation of privilege vulnerabilities, 12 remote code execution flaws, seven spoofing issues, six information disclosure bugs, five security feature bypass flaws, and three denial of service vulnerabilities. As usual, these numbers only include fixes released directly by Microsoft on Patch Tuesday and do not count Microsoft Edge flaws patched earlier this month.
Alongside the security fixes, Microsoft has also started a phased rollout of updated Secure Boot certificates. These new certificates will replace the original 2011 Secure Boot certificates that are set to expire in late June 2026. According to Microsoft, Windows quality updates now include additional targeting data to ensure devices receive the new certificates safely and only after demonstrating reliable update behavior, reducing the risk of system issues during the transition.
The most serious aspect of this month’s updates is the six actively exploited zero-day vulnerabilities. One of them, CVE-2026-21510, is a Windows Shell security feature bypass that can be triggered when a user opens a specially crafted link or shortcut file. Microsoft says attackers could exploit improper handling in Windows Shell components to bypass security warnings such as SmartScreen and potentially the Mark of the Web protections.
Another actively exploited flaw, CVE-2026-21513, affects the MSHTML framework and allows attackers to bypass security features over a network. While Microsoft has not shared exploitation details, the vulnerability has been confirmed as actively used in attacks. CVE-2026-21514, meanwhile, impacts Microsoft Word and allows attackers to bypass OLE mitigations by tricking users into opening a malicious Office document. Microsoft notes that this flaw cannot be exploited through the Office Preview Pane.
The remaining zero-days include CVE-2026-21519, an elevation of privilege vulnerability in Desktop Window Manager that could allow attackers to gain SYSTEM-level access. CVE-2026-21525 is a denial-of-service flaw in the Windows Remote Access Connection Manager that was found in a public malware repository and previously patched by ACROS Security through its 0patch service before Microsoft released an official fix. Finally, CVE-2026-21533 is an elevation of privilege issue in Windows Remote Desktop Services that allows attackers to escalate privileges and potentially add new users to the local Administrators group, according to researchers at CrowdStrike.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Of the six zero-day vulnerabilities fixed this month, CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 were publicly disclosed before patches were released. Microsoft has not confirmed whether all six flaws were exploited as part of the same campaign. Given the active exploitation and the breadth of issues addressed, users and organizations are strongly advised to install the February 2026 updates as soon as possible to reduce their exposure to ongoing attacks.
