Microsoft Patch Tuesday February 2026: 6 Zero-Days Being Actively Exploited
The Numbers
Microsoft's February 2026 Patch Tuesday dropped on February 11 with fixes for 58 vulnerabilities, including:
- 6 actively exploited zero-days (3 publicly disclosed)
- 5 critical-severity flaws
- 25 elevation of privilege vulnerabilities
- 12 remote code execution vulnerabilities
- 7 spoofing vulnerabilities
- 6 information disclosure vulnerabilities
- 5 security feature bypass vulnerabilities
- 3 denial of service vulnerabilities
CISA has already added the zero-days to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch urgently.
The 6 Zero-Days
CVE-2026-21510 — Windows Shell SmartScreen Bypass
Component: Windows Shell Severity: Important Status: Publicly disclosed, actively exploited
A single click on a malicious link can bypass Windows SmartScreen protections and run attacker-controlled content without any warning or consent dialog. This likely bypasses Mark of the Web (MoTW) warnings — the popups that normally warn you when opening files downloaded from the internet.
Why it matters: SmartScreen is a core defense for everyday users. Bypassing it means phishing links and malicious downloads slip past the one warning most people rely on.
CVE-2026-21513 — MSHTML/Trident Engine Bypass
Component: MSHTML Framework (Internet Explorer engine) Severity: Important Attack vector: Network-based Status: Publicly disclosed, actively exploited
A protection mechanism failure in the MSHTML framework allows attackers to bypass security features over the network. This targets the legacy Trident browser engine that's still embedded in Windows for rendering HTML content in various applications.
Why it matters: You don't need to "use Internet Explorer" to be vulnerable. MSHTML is invoked by many Windows applications when rendering HTML content — including Outlook, Office, and third-party apps.
CVE-2026-21514 — Microsoft Word OLE Bypass
Component: Microsoft Word / Microsoft 365 Severity: Important Attack vector: Local (requires opening a malicious file) Status: Publicly disclosed, actively exploited
A crafted Office file can bypass OLE mitigations in Microsoft 365 and Microsoft Office that normally protect users from vulnerable COM/OLE controls. The good news: this cannot be exploited via the Preview Pane. The bad news: opening the file is enough.
Why it matters: OLE-based attacks have been a staple of targeted phishing campaigns for years. This bypass removes a key layer of protection.
CVE-2026-21519 — Desktop Window Manager Privilege Escalation
Component: Desktop Window Manager (DWM) Severity: Important Attack vector: Local Status: Not publicly disclosed, actively exploited
A local, authenticated attacker can exploit this to escalate to SYSTEM privileges. DWM is the Windows service responsible for rendering the graphical user interface — it runs on every Windows machine.
Why it matters: SYSTEM is the highest privilege level on Windows. An attacker who chains this with any initial access vulnerability gets full control of the machine.
CVE-2026-21533 — Remote Desktop Services Privilege Escalation
Component: Windows Remote Desktop Services Severity: Important Attack vector: Local (requires authorization) Status: Not publicly disclosed, actively exploited
Improper privilege management in Windows Remote Desktop allows an authorized attacker to escalate privileges locally and modify service configuration to add new Administrator accounts.
Why it matters: RDP is already one of the most targeted services on the internet. A privilege escalation vulnerability in RDS gives attackers a way to go from limited access to full admin control on servers that expose Remote Desktop.
CVE-2026-21525 — Remote Access Connection Manager DoS
Component: Windows Remote Access Connection Manager (RasMan) Severity: Moderate Attack vector: Local Status: Not publicly disclosed, found in malware samples
A null pointer dereference allows an unprivileged user to crash the RasMan service. Discovered by the ACROS Security / 0patch team after they found it referenced in public malware repositories.
Why it matters: While "just" a denial of service, the fact that it was found in active malware suggests attackers are using it as part of a larger attack chain — potentially to disrupt VPN connections or force users onto unprotected networks.
The Attack Chain to Watch
The most dangerous combination this month is:
- CVE-2026-21510 (SmartScreen bypass) to deliver a malicious file without triggering warnings
- CVE-2026-21519 (DWM privilege escalation) to escalate from user to SYSTEM
That's initial access + privilege escalation with two actively exploited vulnerabilities. If you're prioritizing patches, these two should be at the top.
What You Should Do
Patch Immediately
If you manage Windows systems — whether desktops, servers, or cloud VMs — apply the February 2026 cumulative updates now. Not "this sprint." Not "next maintenance window." Now.
# Check for updates via PowerShell
Get-WindowsUpdate -Install -AcceptAll
# Or force a check through Windows Update
Start-Process "ms-settings:windowsupdate-action"
If You Can't Patch Immediately
- Block MSHTML rendering in Outlook — Set Outlook to read emails in plain text to mitigate CVE-2026-21513
- Restrict Office macros and OLE — Group Policy can enforce blocking of OLE objects from untrusted sources
- Monitor for SmartScreen bypass indicators — Watch for files executing without MoTW flags
- Audit RDP access — Restrict Remote Desktop to VPN-only access and review who has RDP permissions
- Enable Attack Surface Reduction (ASR) rules — Microsoft Defender's ASR rules can block many of the attack vectors these zero-days exploit
For Developers Specifically
- Update your dev machines — Developer workstations are high-value targets because they have access to source code, credentials, and deployment pipelines
- Review your CI/CD runners — If you run Windows-based build agents, they need patching too
- Check your Docker base images — If you use Windows containers, update your base images
The Bigger Picture
Six actively exploited zero-days in a single Patch Tuesday is not normal. For context, Microsoft patched 22 zero-days across all of 2024. We're already at 6 in February alone.
The trend is clear: attackers are finding and exploiting Windows vulnerabilities faster than ever. The window between discovery and exploitation is shrinking — in some cases, exploits appear in the wild before patches are available.
Patch management isn't optional anymore. It's a survival skill.
Sources
- Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws — BleepingComputer
- Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days — The Hacker News
- February Patch Tuesday: Microsoft drops six zero-days — Computer Weekly
- Patch Tuesday, February 2026 Edition — Krebs on Security
- 6 Actively Exploited Zero-Days Patched by Microsoft — SecurityWeek
- Microsoft and Adobe Patch Tuesday, February 2026 Security Update Review — Qualys