Microsoft Feb 2026 Patch Tuesday: 6 Zero-Days – Patch Now

The Threat at a Glance

Threat Type Actively Exploited Zero-Day Vulnerabilities in Windows and Microsoft Products (Security Feature Bypasses & Elevation of Privilege)
Severity Critical (CVSS 7.5–8.8; 6 Zero-Days Actively Exploited; Multiple Added to CISA KEV Catalog on February 10, 2026)
Affected Systems Windows 10/11, Windows Server 2016–2022; Microsoft Office / Microsoft 365; MSHTML, Desktop Window Manager, Remote Desktop Services, and related components
Attack Vector Network / Local (Phishing links/files, malicious .lnk / Office docs, local authenticated escalation); User interaction often required for initial bypasses
Exploitation Status Actively Exploited in the Wild (6 zero-days confirmed; CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21533 added to CISA KEV on Feb 10, 2026)
Mitigation Availability Patches released February 10, 2026 (Patch Tuesday); Apply via Windows Update / WSUS immediately
Core Mechanism Security feature bypasses (SmartScreen, OLE protections, MSHTML) + local privilege escalation to SYSTEM level
Preview Pane Safety Safe for most (e.g., CVE-2026-21514 not exploitable via Preview Pane); But user interaction (clicking links/files) remains high-risk vector
Key Takeaways

• Microsoft patched 58 vulnerabilities including 6 actively exploited zero-days on February 10, 2026
• CISA added CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21533 (and others) to its Known Exploited Vulnerabilities catalog the same day — federal agencies must patch by March 3, 2026
• Attackers are actively targeting core Windows components (Shell, MSHTML, DWM, Office) using phishing, malicious documents, and .lnk files
• Delay = extreme risk: Apply patches immediately, enable automatic updates, and layer defenses (EDR, email filtering, user training)

Microsoft released its February 2026 Patch Tuesday security updates on February 10, 2026, addressing a total of 58 vulnerabilities across Windows, Office, Azure, Edge, Exchange, and other products. Among these are six zero-day vulnerabilities confirmed to be actively exploited in the wild, with several publicly disclosed before patches became available.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) acted swiftly, adding multiple of these vulnerabilities — including CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, and CVE-2026-21533 — to its Known Exploited Vulnerabilities (KEV) catalog on the same day. This rapid inclusion signals that real-world attacks are already occurring and that organizations face immediate risk if they do not apply the patches as soon as possible.

For broader context on the accelerating threat landscape, see our 2026 Cybersecurity Trends analysis.

Threat Overview

The February 2026 Patch Tuesday release is one of the most urgent in recent memory. Of the 58 vulnerabilities fixed, six were zero-days under active exploitation. Three of these were publicly known prior to patching, dramatically increasing the likelihood of widespread abuse. CISA’s KEV catalog additions mean federal civilian agencies have until March 3, 2026 to apply mitigations — but every organization, regardless of sector, should treat these as emergency fixes.

These vulnerabilities primarily enable two dangerous outcomes:

  • Security feature bypasses that suppress critical user warnings (SmartScreen, OLE protections, MSHTML safeguards)
  • Local privilege escalation that allows attackers with initial access to gain SYSTEM-level privileges

Combined with common delivery methods like phishing emails containing malicious .lnk files, Office documents, or HTML content, these flaws provide attackers with reliable paths to initial compromise, persistence, and lateral movement.

Technical Deep Dive

Key Zero-Day Vulnerabilities

  • CVE-2026-21510 — Windows Shell Security Feature Bypass Vulnerability (CVSS 8.8)
    Allows attackers to bypass Windows SmartScreen and Shell security warnings by using a specially crafted link or .lnk file. This flaw was publicly disclosed prior to patching and is actively exploited. Exploitation typically requires only one user interaction (clicking a malicious shortcut or link), resulting in arbitrary code execution without any security prompts or consent dialogs. Impacts all supported Windows versions.
  • CVE-2026-21513 — MSHTML / Internet Explorer Security Feature Bypass Vulnerability (CVSS 8.8)
    Bypasses protections in the MSHTML rendering engine (used in legacy Internet Explorer mode and certain Windows components). Attackers can craft malicious HTML content or .lnk files that execute code silently by exploiting how MSHTML interacts with the Shell. This zero-day was publicly known and actively exploited before the patch was released.
  • CVE-2026-21514 — Microsoft Word / Office Security Feature Bypass Vulnerability (CVSS 7.8–8.1)
    Bypasses OLE object mitigations in Microsoft Word and other Office applications, allowing malicious COM/OLE controls to execute when a user opens a crafted document. Importantly, the Outlook Preview Pane is not an attack vector for this vulnerability — exploitation requires the user to open the file. This flaw was publicly disclosed and exploited in the wild prior to patching.
  • CVE-2026-21519 — Desktop Window Manager Elevation of Privilege Vulnerability (CVSS 7.8)
    Enables a local, authenticated attacker to escalate privileges to SYSTEM level by exploiting flaws in the Desktop Window Manager (DWM) component. This marks the second consecutive month Microsoft has patched an actively exploited DWM zero-day, highlighting persistent targeting of this critical GUI subsystem.
  • CVE-2026-21533 — Windows Remote Desktop Services Elevation of Privilege Vulnerability (CVSS 7.8)
    Allows local privilege escalation to SYSTEM privileges through vulnerabilities in Remote Desktop Services. Useful for attackers who already have a foothold on a target system.
  • CVE-2026-21525 — Windows Remote Access Connection Manager Vulnerability (CVSS 6.2)
    Another actively exploited zero-day, often used in combination with the above flaws for broader impact.

Typical Exploitation Chain

  1. Initial Access: Phishing email delivers malicious .lnk file, Office document, or HTML content.
  2. Security Bypass: CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 suppresses warnings → payload executes silently.
  3. Privilege Escalation: CVE-2026-21519 or CVE-2026-21533 grants SYSTEM privileges locally.
  4. Impact: Ransomware deployment, data exfiltration, credential theft, lateral movement, persistence.

Exploitation in the Wild

Microsoft, security researchers, and threat intelligence providers have confirmed active in-the-wild exploitation of all six zero-days listed above. CISA’s addition of CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21533 (and potentially others) to the KEV catalog on February 10, 2026, is based on credible evidence of real-world attacks. Likely actors include ransomware groups, financially motivated cybercriminals, and possibly advanced persistent threats.

Common indicators of compromise include:

  • Suspicious .lnk file executions
  • Anomalous MSHTML / Shell activity
  • Unexpected privilege escalations to SYSTEM
  • Office OLE object execution from untrusted sources

Detection and Mitigation Strategies

Immediate Actions

  1. Patch Immediately: Deploy the February 2026 security updates via Windows Update, WSUS, Microsoft Endpoint Configuration Manager, or Intune. Prioritize internet-facing systems, domain controllers, and high-value assets.
  2. Enable Automatic Updates: Ensure all Windows devices install security patches automatically where possible.
  3. Block Common Vectors: Strengthen email filtering to block .lnk attachments, malicious Office macros, and suspicious HTML content. Consider disabling legacy Internet Explorer mode if not required.

Detection Techniques

  • EDR / XDR: Monitor for suspicious Shell executions, MSHTML rendering events, Office OLE anomalies, and unexpected SYSTEM-level processes.
  • SIEM Hunting: Search logs for indicators associated with these CVEs (e.g., anomalous .lnk opens, DWM privilege changes).
  • Behavioral Analytics: Use UEBA rules to detect abnormal privilege escalation patterns.

Long-Term Hardening Recommendations

  • Conduct regular phishing and safe-file-handling training for all users
  • Enable Microsoft Defender exploit protection and attack surface reduction rules
  • Implement least-privilege access and disable unnecessary legacy components/protocols
  • Perform frequent vulnerability scanning and patch-compliance auditing

Conclusion

The February 2026 Patch Tuesday release is a critical wake-up call: six actively exploited zero-days, several now formally listed in CISA’s Known Exploited Vulnerabilities catalog, targeting the core of Windows and Office functionality. These are not theoretical risks — adversaries are using them in real attacks right now.

Patch immediately. Hunt for signs of compromise. Strengthen layered defenses. Every hour of delay increases the chance of successful exploitation. ByteVanguard will continue monitoring this threat landscape — stay informed with our updates and threat intelligence reports.

References

Follow us on X • © 2026 ByteVanguard • Independent Cyber Threat Intelligence

Official CISA Catalog ↗
CISA STATUS 1513 ACTIVE EXPLOITS
● VIEW RECENT THREATS
Latest (10) KEVs
CVE-2026-21513 Added: Feb 10, 2026
Microsoft MSHTML Framework Protection Mechanism Failure Vulnerability
CVE-2026-21525 Added: Feb 10, 2026
Microsoft Windows NULL Pointer Dereference Vulnerability
CVE-2026-21510 Added: Feb 10, 2026
Microsoft Windows Shell Protection Mechanism Failure Vulnerability
CVE-2026-21533 Added: Feb 10, 2026
Microsoft Windows Improper Privilege Management Vulnerability
CVE-2026-21519 Added: Feb 10, 2026
Microsoft Windows Type Confusion Vulnerability
CVE-2026-21514 Added: Feb 10, 2026
Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
CVE-2025-11953 Added: Feb 05, 2026
React Native Community CLI OS Command Injection Vulnerability
CVE-2026-24423 Added: Feb 05, 2026
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
CVE-2021-39935 Added: Feb 03, 2026
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
CVE-2025-64328 Added: Feb 03, 2026
Sangoma FreePBX OS Command Injection Vulnerability
Sync: Feb 11, 11:00 UTC LIVE
EPSS GLOBAL THREATS ↗
THREAT #1 CVE-2024-27198 94.58% SCORE
● VIEW DETAILED TOP 10
Global Intelligence
RANK #1 CVE-2024-27198 Score: 94.58% JetBrains TeamCity Authentication Bypass Vulnerability
RANK #2 CVE-2023-23752 Score: 94.52% Joomla! Improper Access Control Vulnerability
RANK #3 CVE-2017-8917 Score: 94.51%
Known Security Vulnerability
RANK #4 CVE-2017-1000353 Score: 94.51% Jenkins Remote Code Execution Vulnerability
RANK #5 CVE-2024-27199 Score: 94.49%
Known Security Vulnerability
RANK #6 CVE-2018-7600 Score: 94.49% Drupal Core Remote Code Execution Vulnerability
RANK #7 CVE-2021-22986 Score: 94.49% F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability
RANK #8 CVE-2023-35078 Score: 94.48% Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability
RANK #9 CVE-2019-11510 Score: 94.48% Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability
RANK #10 CVE-2018-13379 Score: 94.48% Fortinet FortiOS SSL VPN Path Traversal Vulnerability
Sync: Feb 11, 11:00 UTC LIVE
SANS ISC INFO-CON ↗
GLOBAL THREAT GREEN Condition Level
VIEW THREAT REPORT
Threat Intelligence
Source: SANS ISC Report ↗ The InfoCon is a status system used by the SANS Internet Storm Center to track global internet threat levels.
Sync: Feb 11, 11:03 UTC ACTIVE

Microsoft Feb 2026 Patch Tuesday: 6 Zero-Days – Patch Now

The Threat at a Glance

Threat Type Actively Exploited Zero-Day Vulnerabilities in Windows and Microsoft Products (Security Feature Bypasses & Elevation of Privilege)
Severity Critical (CVSS 7.5–8.8; 6 Zero-Days Actively Exploited; Multiple Added to CISA KEV Catalog on February 10, 2026)
Affected Systems Windows 10/11, Windows Server 2016–2022; Microsoft Office / Microsoft 365; MSHTML, Desktop Window Manager, Remote Desktop Services, and related components
Attack Vector Network / Local (Phishing links/files, malicious .lnk / Office docs, local authenticated escalation); User interaction often required for initial bypasses
Exploitation Status Actively Exploited in the Wild (6 zero-days confirmed; CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21533 added to CISA KEV on Feb 10, 2026)
Mitigation Availability Patches released February 10, 2026 (Patch Tuesday); Apply via Windows Update / WSUS immediately
Core Mechanism Security feature bypasses (SmartScreen, OLE protections, MSHTML) + local privilege escalation to SYSTEM level
Preview Pane Safety Safe for most (e.g., CVE-2026-21514 not exploitable via Preview Pane); But user interaction (clicking links/files) remains high-risk vector
Key Takeaways

• Microsoft patched 58 vulnerabilities including 6 actively exploited zero-days on February 10, 2026
• CISA added CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21533 (and others) to its Known Exploited Vulnerabilities catalog the same day — federal agencies must patch by March 3, 2026
• Attackers are actively targeting core Windows components (Shell, MSHTML, DWM, Office) using phishing, malicious documents, and .lnk files
• Delay = extreme risk: Apply patches immediately, enable automatic updates, and layer defenses (EDR, email filtering, user training)

Microsoft released its February 2026 Patch Tuesday security updates on February 10, 2026, addressing a total of 58 vulnerabilities across Windows, Office, Azure, Edge, Exchange, and other products. Among these are six zero-day vulnerabilities confirmed to be actively exploited in the wild, with several publicly disclosed before patches became available.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) acted swiftly, adding multiple of these vulnerabilities — including CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, and CVE-2026-21533 — to its Known Exploited Vulnerabilities (KEV) catalog on the same day. This rapid inclusion signals that real-world attacks are already occurring and that organizations face immediate risk if they do not apply the patches as soon as possible.

For broader context on the accelerating threat landscape, see our 2026 Cybersecurity Trends analysis.

Threat Overview

The February 2026 Patch Tuesday release is one of the most urgent in recent memory. Of the 58 vulnerabilities fixed, six were zero-days under active exploitation. Three of these were publicly known prior to patching, dramatically increasing the likelihood of widespread abuse. CISA’s KEV catalog additions mean federal civilian agencies have until March 3, 2026 to apply mitigations — but every organization, regardless of sector, should treat these as emergency fixes.

These vulnerabilities primarily enable two dangerous outcomes:

  • Security feature bypasses that suppress critical user warnings (SmartScreen, OLE protections, MSHTML safeguards)
  • Local privilege escalation that allows attackers with initial access to gain SYSTEM-level privileges

Combined with common delivery methods like phishing emails containing malicious .lnk files, Office documents, or HTML content, these flaws provide attackers with reliable paths to initial compromise, persistence, and lateral movement.

Technical Deep Dive

Key Zero-Day Vulnerabilities

  • CVE-2026-21510 — Windows Shell Security Feature Bypass Vulnerability (CVSS 8.8)
    Allows attackers to bypass Windows SmartScreen and Shell security warnings by using a specially crafted link or .lnk file. This flaw was publicly disclosed prior to patching and is actively exploited. Exploitation typically requires only one user interaction (clicking a malicious shortcut or link), resulting in arbitrary code execution without any security prompts or consent dialogs. Impacts all supported Windows versions.
  • CVE-2026-21513 — MSHTML / Internet Explorer Security Feature Bypass Vulnerability (CVSS 8.8)
    Bypasses protections in the MSHTML rendering engine (used in legacy Internet Explorer mode and certain Windows components). Attackers can craft malicious HTML content or .lnk files that execute code silently by exploiting how MSHTML interacts with the Shell. This zero-day was publicly known and actively exploited before the patch was released.
  • CVE-2026-21514 — Microsoft Word / Office Security Feature Bypass Vulnerability (CVSS 7.8–8.1)
    Bypasses OLE object mitigations in Microsoft Word and other Office applications, allowing malicious COM/OLE controls to execute when a user opens a crafted document. Importantly, the Outlook Preview Pane is not an attack vector for this vulnerability — exploitation requires the user to open the file. This flaw was publicly disclosed and exploited in the wild prior to patching.
  • CVE-2026-21519 — Desktop Window Manager Elevation of Privilege Vulnerability (CVSS 7.8)
    Enables a local, authenticated attacker to escalate privileges to SYSTEM level by exploiting flaws in the Desktop Window Manager (DWM) component. This marks the second consecutive month Microsoft has patched an actively exploited DWM zero-day, highlighting persistent targeting of this critical GUI subsystem.
  • CVE-2026-21533 — Windows Remote Desktop Services Elevation of Privilege Vulnerability (CVSS 7.8)
    Allows local privilege escalation to SYSTEM privileges through vulnerabilities in Remote Desktop Services. Useful for attackers who already have a foothold on a target system.
  • CVE-2026-21525 — Windows Remote Access Connection Manager Vulnerability (CVSS 6.2)
    Another actively exploited zero-day, often used in combination with the above flaws for broader impact.

Typical Exploitation Chain

  1. Initial Access: Phishing email delivers malicious .lnk file, Office document, or HTML content.
  2. Security Bypass: CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 suppresses warnings → payload executes silently.
  3. Privilege Escalation: CVE-2026-21519 or CVE-2026-21533 grants SYSTEM privileges locally.
  4. Impact: Ransomware deployment, data exfiltration, credential theft, lateral movement, persistence.

Exploitation in the Wild

Microsoft, security researchers, and threat intelligence providers have confirmed active in-the-wild exploitation of all six zero-days listed above. CISA’s addition of CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21533 (and potentially others) to the KEV catalog on February 10, 2026, is based on credible evidence of real-world attacks. Likely actors include ransomware groups, financially motivated cybercriminals, and possibly advanced persistent threats.

Common indicators of compromise include:

  • Suspicious .lnk file executions
  • Anomalous MSHTML / Shell activity
  • Unexpected privilege escalations to SYSTEM
  • Office OLE object execution from untrusted sources

Detection and Mitigation Strategies

Immediate Actions

  1. Patch Immediately: Deploy the February 2026 security updates via Windows Update, WSUS, Microsoft Endpoint Configuration Manager, or Intune. Prioritize internet-facing systems, domain controllers, and high-value assets.
  2. Enable Automatic Updates: Ensure all Windows devices install security patches automatically where possible.
  3. Block Common Vectors: Strengthen email filtering to block .lnk attachments, malicious Office macros, and suspicious HTML content. Consider disabling legacy Internet Explorer mode if not required.

Detection Techniques

  • EDR / XDR: Monitor for suspicious Shell executions, MSHTML rendering events, Office OLE anomalies, and unexpected SYSTEM-level processes.
  • SIEM Hunting: Search logs for indicators associated with these CVEs (e.g., anomalous .lnk opens, DWM privilege changes).
  • Behavioral Analytics: Use UEBA rules to detect abnormal privilege escalation patterns.

Long-Term Hardening Recommendations

  • Conduct regular phishing and safe-file-handling training for all users
  • Enable Microsoft Defender exploit protection and attack surface reduction rules
  • Implement least-privilege access and disable unnecessary legacy components/protocols
  • Perform frequent vulnerability scanning and patch-compliance auditing

Conclusion

The February 2026 Patch Tuesday release is a critical wake-up call: six actively exploited zero-days, several now formally listed in CISA’s Known Exploited Vulnerabilities catalog, targeting the core of Windows and Office functionality. These are not theoretical risks — adversaries are using them in real attacks right now.

Patch immediately. Hunt for signs of compromise. Strengthen layered defenses. Every hour of delay increases the chance of successful exploitation. ByteVanguard will continue monitoring this threat landscape — stay informed with our updates and threat intelligence reports.

References

Follow us on X • © 2026 ByteVanguard • Independent Cyber Threat Intelligence

Follow us on
© 2026 ByteVanguard • Independent Cyber Threat Intelligence