Microsoft’s February 2026 Patch Tuesday: Six Zero-Days Under Active Attack
Microsoft’s February 2026 Patch Tuesday: Six Zero-Days Under Active Attack
Microsoft has released critical security patches addressing 59 vulnerabilities, including six zero-day flaws actively exploited in the wild. The February 2026 Patch Tuesday update targets multiple attack vectors, with elevation of privilege vulnerabilities dominating the threat landscape at 25 flaws, followed by remote code execution risks affecting 12 systems.
The Attack / Incident
The six actively exploited zero-days represent a significant security threat, with three already publicly disclosed before patches became available. These vulnerabilities span critical Windows components and productivity software, creating multiple pathways for attackers to compromise systems.
CVE-2026-21510 — Windows Shell Security Feature Bypass allows attackers to bypass Windows SmartScreen and Shell warning dialogs by tricking users into opening malicious shortcut or link files. This vulnerability undermines core safety protections designed to prevent untrusted code execution, making it particularly effective in phishing and malware-delivery campaigns that exploit social engineering rather than technical complexity.
CVE-2026-21513 — MSHTML Framework (Internet Explorer) Security Feature Bypass enables unauthorized attackers to bypass security features over a network through protection mechanism failures in Internet Explorer. This flaw directly impacts users still relying on legacy browser technology.
CVE-2026-21514 — Microsoft Word Security Feature Bypass allows malicious documents to sidestep OLE-based defensive measures when opened by users, enabling attackers to introduce unsafe content into trusted Office workflows. While exploitation requires user interaction, the bypass undermines a core safety boundary designed to block misuse of embedded controls.
CVE-2026-21519 — Desktop Window Manager Elevation of Privilege exploits a type confusion flaw that allows authenticated attackers to escalate privileges to SYSTEM level, granting full administrative control. This vulnerability is frequently employed during later stages of intrusions to disable defenses and pivot across environments.
CVE-2026-21525 — RasMan Denial of Service rounds out the critical zero-day threats, though specific technical details remain limited in public disclosures.
The remaining zero-day details were intentionally withheld by Microsoft—a standard practice for vulnerabilities already leveraged in targeted intrusions—to prevent threat actors from replicating exploits before patches achieve widespread deployment.
The Impact
The February 2026 patch wave affects nearly all major Microsoft components, creating broad organizational exposure:
- Windows (client and server environments)
- Microsoft Office and Microsoft 365
- Azure services and Windows Defender
- .NET, GitHub Copilot, and Visual Studio
- Internet Explorer and MSHTML
- Windows Secure Boot infrastructure
Beyond the zero-days, Microsoft addressed five additional Critical-severity vulnerabilities and 52 Important-severity flaws. The vulnerability distribution reveals attackers’ preferred exploitation techniques: elevation of privilege flaws account for 42% of patches, remote code execution for 20%, and spoofing attacks for 14%.
Microsoft is also rolling out updated Secure Boot certificates ahead of the June 2026 expiration of legacy 2011 certificates—a major infrastructure milestone affecting Windows boot integrity across devices.
Mitigation
Immediate Actions: Organizations must prioritize patches for the six actively exploited zero-days immediately, as confirmed attacker activity eliminates any prioritization debate. CISA has added CVE-2026-21519 to its Known Exploited Vulnerabilities Catalog, urging users to patch before March 3, 2026.
Deployment Considerations: Verify rollout compatibility, especially in environments with custom boot policies, given the Secure Boot certificate updates. Organizations should implement logging and alerting for suspicious privilege escalation activity, given that 25 elevation of privilege flaws were addressed this month.
User Education: Train employees to recognize phishing attempts and suspicious file types, particularly shortcut (.lnk) and link files that exploit CVE-2026-21510. Disable or restrict Internet Explorer usage where possible to reduce exposure to CVE-2026-21513.
Office Security: Advise users to exercise caution when opening Word documents from untrusted sources, and consider disabling embedded OLE objects in high-risk environments to mitigate CVE-2026-21514.
Conclusion
February 2026’s Patch Tuesday represents a critical security moment, with six actively exploited zero-days demanding immediate attention from IT teams worldwide. The breadth of affected products—spanning Windows, Office, Azure, and developer tools—underscores the need for rapid, coordinated patching strategies. Organizations that delay deployment risk exposure to attackers already weaponizing these flaws in real-world intrusions.
“`