Microsoft February 2026 Patch Tuesday Fixes 58 Vulnerabilities, Six actively Exploited Flaws

Microsoft fixed 58 security flaws in its February 2026 Patch Tuesday update. This release includes five critical bugs and six zero-day vulnerabilities, all of which are actively exploited in the wild. Three of the zero-days were also publicly disclosed.

The update patches flaws in Windows, Office, Azure, Exchange Server, .NET, GitHub Copilot, Edge, and Power BI that allow attackers to run code, bypass security features, or gain higher privileges.

Actively exploited flaws:

• CVE-2026-21510 - Windows Shell Security Feature Bypass Vulnerability. Actively exploited by convincing a user to open a malicious link or shortcut file. An attacker could bypass Windows SmartScreen and Windows Shell security prompts through improper handling in Windows Shell components, allowing attacker-controlled content to execute without user warning or consent. This likely allows attackers to bypass Mark of the Web (MoTW) security warnings.
• CVE-2026-21513 - MSHTML Framework Security Feature Bypass Vulnerability. Actively exploited to bypass security controls and potentially execute code by convincing a victim to open a malicious HTML or LNK file. A protection mechanism failure in the MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
• CVE-2026-21514 - Microsoft Word Security Feature Bypass Vulnerability. Actively exploited by sending a user a malicious Office file and convincing them to open it. This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls. Cannot be exploited in the Office Preview Pane.
• CVE-2026-21519 - Desktop Window Manager Elevation of Privilege Vulnerability. Actively exploited to gain SYSTEM privileges. No details have been shared on how it was exploited.
• CVE-2026-21525 - Windows Remote Access Connection Manager Denial of Service Vulnerability. Actively exploited via a null pointer dereference that allows an unauthorized attacker to deny service locally. No details have been shared on how this flaw was exploited in attacks.
• CVE-2026-21533 - Windows Remote Desktop Services Elevation of Privilege Vulnerability. Actively exploited through improper privilege management that allows an authorized attacker to elevate privileges locally. No details have been shared on how it was exploited. 

Note: CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 were all discovered in part by Google Threat Intelligence Group, suggesting these vulnerabilities may have been exploited by the same threat actors or in the same campaign. Google has been tracking attacks conducted by commercial spyware vendors, state-sponsored APTs, and profit-driven cybercriminals.

Critical patched flaws:

• CVE-2026-24302 - Azure Arc Elevation of Privilege Vulnerability
• CVE-2026-23655 - Microsoft ACI Confidential Containers Information Disclosure Vulnerability
• CVE-2026-21522 - Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability
• CVE-2026-24300 - Azure Front Door Elevation of Privilege Vulnerability
• CVE-2026-21532 - Azure Function Information Disclosure Vulnerability

The patch cycle includes:

• 25 Elevation of Privilege vulnerabilities
• 5 Security Feature Bypass vulnerabilities
• 12 Remote Code Execution vulnerabilities
• 6 Information Disclosure vulnerabilities
• 3 Denial of Service vulnerabilities
• 7 Spoofing vulnerabilities

As part of these updates, Microsoft has also begun rolling out updated Secure Boot certificates to replace the original 2011 certificates expiring in late June 2026.

Full patch list