Microsoft February 2026 Patch Tuesday Fixes Six Actively Exploited Zero-Days

Microsoft's February 2026 Patch Tuesday, released on February 10, addresses 58 vulnerabilities across Windows, Office, and related products. Six of these vulnerabilities were actively exploited in the wild at the time of patch release, marking the highest single-month zero-day count in recent memory. Five additional vulnerabilities are rated Critical.

The Six Zero-Days

The actively exploited vulnerabilities span multiple Windows components and Office products:

• CVE-2026-21510 (CVSS 8.8) — A Windows Shell security feature bypass exploitable via a single malicious link click. The low interaction requirement makes this particularly dangerous for phishing campaigns.
• CVE-2026-21513 — An MSHTML security bypass triggered via crafted HTML files or .lnk shortcut files. MSHTML vulnerabilities have historically been favored by advanced threat actors for initial access campaigns.
• CVE-2026-21514 (CVSS 7.8) — A Microsoft Word security feature bypass via a crafted Office file. Exploiting this flaw requires the user to open a malicious document, a well-established delivery mechanism in targeted attacks.
• CVE-2026-21519 — A Desktop Window Manager privilege escalation vulnerability that grants SYSTEM-level access. Once an attacker has initial code execution on a system, this flaw provides a reliable path to full administrative control.
• CVE-2026-21525 — A Windows Remote Access Connection Manager denial of service vulnerability.
• CVE-2026-21533 — A Windows Remote Desktop Services privilege escalation that also grants SYSTEM access.

Critical Flaws

Among the five Critical-rated vulnerabilities, CVE-2026-26119 (CVSS 8.8) stands out — a Windows Admin Center privilege escalation that can be exploited over the network. Windows Admin Center is a browser-based management tool used by system administrators, and a privilege escalation in this context could allow an attacker to gain administrative control over managed servers from a network-adjacent position.

Patch Priority

CVE-2026-21510 and CVE-2026-21513 warrant the highest patching priority. Both require minimal user interaction — a link click or file open — and both bypass security features that are specifically designed to prevent exploitation of downstream vulnerabilities. Security feature bypasses are frequently chained with other vulnerabilities: the bypass disables a protection mechanism, and a separate exploit leverages the unprotected attack surface to achieve code execution or privilege escalation.

Organizations with Windows environments should prioritize testing and deploying the February cumulative update. CISA is expected to add the six actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, which would trigger mandatory patching timelines for federal agencies and serve as a strong signal for private sector organizations to follow suit. The six zero-days affect billions of Windows endpoints worldwide, and the combination of low interaction requirements with privilege escalation paths makes this month's patch set operationally urgent.