Microsoft’s February 2026 Patch Tuesday, released on February 9, 2026, addressed 58 vulnerabilities across Windows, Office, and other components, including six actively exploited zero-days.This update featured five Critical flaws, with elevation of privilege issues dominating at 25 total.
Vulnerability Breakdown
The patches covered diverse categories, prioritizing high-risk exploits.
- 25 Elevation of Privilege vulnerabilities
- 12 Remote Code Execution vulnerabilities
- 7 Spoofing vulnerabilities
- 6 Information Disclosure vulnerabilities
- 5 Security Feature Bypass vulnerabilities
- 3 Denial of Service vulnerabilities
Key Zero-Days
Six zero-days were patched, three publicly disclosed prior; immediate deployment is critical for enterprises.
- CVE-2026-21510: Windows Shell Security Feature Bypass via malicious links/shortcuts, bypassing SmartScreen/MoTW
- CVE-2026-21513: OLE mitigations bypass in Office, requires user to open malicious file
- CVE-2026-21514: Related Office bypass, same researchers
- CVE-2026-21525: Windows Remote Access Connection Manager DoS
- CVE-2026-21533: Elevation of Privilege, observed adding admin users (CrowdStrike)
Zero-Day Vulnerability Breakdown
CVE-2026-21510
CVSS v3.1: 8.8 (High)
Component: Windows Shell
Type: Security Feature Bypass
Attack Vector: Network / Remote (User Interaction Required)
A Windows Shell protection mechanism failure allows attackers to bypass SmartScreen and Mark-of-the-Web (MoTW) using specially crafted links or shortcut files. Victims are typically lured via phishing emails or messages, and upon clicking the malicious content, code execution can occur without elevated privileges.
CVE-2026-21513
CVSS v3.1: 8.8 (High)
Component: MSHTML Framework
Type: Security Feature Bypass
Attack Vector: Network / Remote (User Interaction Required)
This flaw enables attackers to bypass MSHTML security mitigations (legacy IE/Edge components). Exploitation occurs when users are tricked into loading malicious remote content, allowing attackers to evade built-in protections and execute code.
CVE-2026-21514
CVSS v3.1: 7.8 (High)
Component: Microsoft Word
Type: Security Feature Bypass
Attack Vector: Local / Network (User Interaction Required)
A Microsoft Word security feature bypass exploited via malicious Office documents. Opening the crafted file allows attackers to evade Office protections. This vulnerability has been observed in targeted attacks and is linked to the same research lineage as CVE-2026-21513.
CVE-2026-21519
CVSS v3.1: 7.8 (High)
Component: Desktop Window Manager (dwm.exe)
Type: Elevation of Privilege
Attack Vector: Local (Authenticated)
This vulnerability allows an attacker with initial access to escalate privileges locally, making it a powerful post-compromise exploit for moving from standard user to higher privilege levels.
CVE-2026-21525
CVSS v3.1: 6.2 (Medium)
Component: Windows Remote Access Connection Manager
Type: Denial of Service
Attack Vector: Local (Remote possible, lower impact)
A denial-of-service flaw that can crash critical Windows networking services. Although rated Medium, it has been observed in malware samples, indicating active abuse in the wild.
CVE-2026-21533
CVSS v3.1: 7.8 (High)
Component: Windows Remote Desktop Services (RDP)
Type: Elevation of Privilege
Attack Vector: Local (Authenticated)
This elevation-of-privilege flaw allows attackers to create or promote administrative users after gaining access. Security researchers (including CrowdStrike) observed this exploit being used to accelerate post-compromise activity.
Risk & Defender Takeaway
- All six vulnerabilities are actively exploited
- Majority require user interaction, reinforcing the risk of phishing and social engineering
- Privilege escalation flaws (EoP) significantly amplify impact after initial access
- Immediate patching and endpoint hardening (MoTW enforcement, Office ASR rules, RDP restrictions) are strongly recommended
Deployment Notes
Updates include Secure Boot certificate rollouts ahead of 2011 cert expiration in June 2026; test in staging environments first. Scope-changed CVEs like CVE-2026-21231 expand exploit impact beyond initial components.
Closing Notes
Microsoft’s February 2026 Patch Tuesday underscores a persistent and escalating trend: zero-day exploitation is now routine, not exceptional. The concentration of security feature bypasses paired with local privilege escalations highlights how attackers are chaining user-assisted entry points with post-compromise elevation to rapidly gain control of Windows environments.
From a defender’s perspective:
- User interaction remains the weakest link — phishing, malicious documents, and crafted shortcuts continue to bypass trust-based controls.
- Privilege escalation flaws amplify blast radius once initial access is achieved, turning low-privilege footholds into full administrative compromise.
- Even medium-severity vulnerabilities (e.g., DoS) cannot be ignored when actively abused by malware.
- Organizations delaying patch deployment are effectively operating with known, weaponized attack paths.
Action is non-negotiable: prioritize patching across endpoints and servers, enforce SmartScreen and MoTW integrity, harden Office and RDP configurations, and validate detection coverage for post-exploitation behaviors.
In short, February 2026 is a reminder that patch latency equals exposure—and zero-days are now part of the monthly threat model, not the exception.
