Microsoft February 2026 Patch Tuesday: 58 Vulnerabilities Fixed, 6 Actively Exploited Zero-Days Addressed

CyberDefender 14 mins0

Microsoft released its monthly Patch Tuesday security updates, addressing 58 vulnerabilities across Windows, Azure, Office, developer tools, and enterprise platforms. This month’s release is particularly significant due to the remediation of six actively exploited zero-day vulnerabilities, three of which were publicly disclosed before patches became available.

In addition, Microsoft rated five vulnerabilities as Critical, including three Elevation of Privilege (EoP) and two Information Disclosure flaws. Beyond security patches, the company has also begun rolling out updated Secure Boot certificates to replace legacy 2011 certificates set to expire in June 2026.

This article provides a deep technical breakdown of the vulnerabilities, exploitation patterns, architectural implications, and defensive guidance for security teams.

Vulnerability Overview and Distribution

The 58 patched vulnerabilities fall into the following categories:

  • 25 Elevation of Privilege
  • 5 Security Feature Bypass
  • 12 Remote Code Execution (RCE)
  • 6 Information Disclosure
  • 3 Denial of Service (DoS)
  • 7 Spoofing

As is standard in Patch Tuesday reporting, the total excludes three Microsoft Edge vulnerabilities fixed earlier in February.

Observations

  1. Elevation of Privilege dominates the release (43% of fixes).
  2. Security feature bypass flaws are disproportionately represented among the zero-days.
  3. Several vulnerabilities affect hybrid cloud and DevOps infrastructure.
  4. Enterprise-facing services (Azure, Hyper-V, Remote Desktop, Exchange) continue to be high-value targets.

Actively Exploited Zero-Days

Microsoft patched six vulnerabilities confirmed as actively exploited in the wild. Of these, three were publicly disclosed prior to remediation.

1. CVE-2026-21510 – Windows Shell Security Feature Bypass

Component: Windows Shell
Category: Security Feature Bypass
Exploit Status: Actively exploited, publicly disclosed

Microsoft patched an improper handling flaw in Windows Shell that allows attackers to bypass built-in security prompts.

Exploitation requires persuading a user to open a malicious link or shortcut file.

Technical Analysis

This vulnerability likely impacts how Windows processes metadata attached to downloaded files—specifically the Mark of the Web (MoTW). MoTW is implemented using NTFS Alternate Data Streams (ADS) and is used by:

  • Windows SmartScreen
  • Office Protected View
  • Attachment Execution Services

If improperly handled, attacker-controlled content may execute without triggering SmartScreen or Shell warnings.

This class of vulnerability is highly valuable in phishing campaigns, particularly when chained with Office macro or script-based payloads.

2. CVE-2026-21513 – MSHTML Framework Security Feature Bypass

Component: MSHTML (Trident engine)
Category: Security Feature Bypass
Exploit Status: Actively exploited, publicly disclosed

The vulnerability allows attackers to bypass a protection mechanism within MSHTML.

Although Internet Explorer is deprecated, MSHTML remains embedded in:

  • Legacy enterprise applications
  • Office document rendering
  • HTML preview handlers

Security feature bypasses in MSHTML often relate to:

  • Zone enforcement failures
  • Improper ActiveX control restrictions
  • Sandbox escape logic errors

Given exploitation over a network, this could enable content rendered in a browser control to execute with fewer restrictions than intended.

3. CVE-2026-21514 – Microsoft Word Security Feature Bypass

Component: Microsoft Word
Category: Security Feature Bypass
Exploit Status: Actively exploited, publicly disclosed

This flaw bypasses OLE mitigation mechanisms in:

  • Microsoft 365
  • Microsoft Office standalone editions

The vulnerability affects protection against malicious COM/OLE control usage.

Attack Chain Implications

A potential chain:

  1. Malicious Word document delivered via phishing.
  2. OLE object bypasses mitigation.
  3. Shell bypass (CVE-2026-21510) avoids SmartScreen.
  4. Payload executes without sufficient warning.

Microsoft confirms this cannot be exploited via the Office Preview Pane, reducing exposure in Outlook auto-preview scenarios.

4. CVE-2026-21519 – Desktop Window Manager Elevation of Privilege

Component: Desktop Window Manager (DWM)
Impact: SYSTEM privileges
Exploit Status: Actively exploited

The Desktop Window Manager is responsible for compositing and rendering the Windows GUI.

An attacker exploiting this flaw can elevate privileges to SYSTEM.

Technical Considerations

Possible root causes include:

  • Improper object reference handling
  • Kernel-user boundary issues
  • Insecure inter-process communication (IPC)

Given DWM operates closely with Win32k and kernel graphics subsystems, EoP vulnerabilities here are often chained post-compromise.

5. CVE-2026-21525 – Windows Remote Access Connection Manager DoS

Component: Remote Access Connection Manager
Category: Denial of Service
Exploit Status: Actively exploited

A null pointer dereference allows local denial-of-service conditions.

Interestingly, the flaw was discovered by ACROS Security’s 0patch team in a public malware repository.

Implications

While DoS is often considered lower severity, in enterprise environments:

  • Disrupting remote access services can block VPN connectivity.
  • Repeated triggering could destabilize remote workforce environments.

The professional quality of the exploit suggests potential broader campaign integration.

6. CVE-2026-21533 – Windows Remote Desktop Services Elevation of Privilege

Component: Windows Remote Desktop Services
Impact: Local privilege escalation
Exploit Status: Actively exploited

This vulnerability allows attackers to modify a service configuration key, replacing it with an attacker-controlled key.

According to research from CrowdStrike:

The exploit binary modifies a service configuration key, enabling attackers to add a new user to the Administrator group.

Risk Profile

  • Post-exploitation persistence
  • Privilege escalation after initial foothold
  • Possible ransomware staging vector

Remote Desktop Services remain a top target in enterprise compromise scenarios.

Critical Vulnerabilities Beyond Zero-Days

Five vulnerabilities were rated Critical. Notable examples include:

  • CVE-2026-24302 – Azure Arc EoP
  • CVE-2026-23655 – Azure Confidential Containers Information Disclosure
  • CVE-2026-21522 – Azure ACI Confidential Containers EoP
  • CVE-2026-24300 – Azure Front Door EoP
  • CVE-2026-21532 – Azure Function Information Disclosure

These cloud-focused flaws underscore Microsoft’s expanding attack surface in hybrid infrastructure.

Secure Boot Certificate Rotation

Microsoft has begun deploying updated Secure Boot certificates to replace legacy 2011 certificates expiring in June 2026.

Secure Boot uses a trust chain embedded in firmware:

  • Platform Key (PK)
  • Key Exchange Keys (KEK)
  • Signature Database (db)
  • Forbidden Signature Database (dbx)

The updated rollout:

  • Uses Windows quality updates.
  • Deploys targeting data to determine readiness.
  • Phases certificate delivery based on successful update signals.

This controlled deployment reduces bricking risk in:

  • Legacy BIOS/UEFI configurations
  • Air-gapped systems
  • OEM-customized firmware environments

Failure to update certificates before expiration could prevent future OS boot validation.

Enterprise Platform Vulnerabilities

Azure and Cloud Infrastructure

Multiple Azure components were patched, including:

  • Azure Arc
  • Azure Compute Gallery
  • Azure DevOps Server
  • Azure Function
  • Azure IoT SDK

Cloud-native vulnerabilities increasingly reflect:

  • Identity mismanagement
  • Container isolation flaws
  • SDK-level input validation errors

These impact DevOps pipelines and multi-tenant cloud environments.

Hyper-V Vulnerabilities

Four vulnerabilities affect the Hyper-V role:

  • Three Remote Code Execution
  • One Security Feature Bypass

Virtualization layer flaws are particularly dangerous in:

  • Multi-tenant hosting
  • On-prem hypervisor deployments
  • Cloud providers using Hyper-V-based infrastructure

Hypervisor escape vulnerabilities remain high-value targets.

Office and Productivity Applications

Multiple issues were patched across:

  • Excel (Info Disclosure, EoP)
  • Outlook (Spoofing)
  • Word (Security Feature Bypass)

These remain primary entry vectors via:

  • Phishing
  • Malicious attachments
  • HTML email rendering

Windows Core Components

Notable areas include:

  • Windows Kernel (multiple EoP)
  • HTTP.sys (three EoP)
  • NTLM Spoofing
  • WinSock driver EoP
  • Windows Subsystem for Linux EoP

The concentration of kernel-level privilege escalation flaws reflects ongoing offensive focus on:

  • Driver exploitation
  • Token manipulation
  • Kernel object corruption

Developer and AI Tooling Impact

Three vulnerabilities affect GitHub Copilot integrations in:

  • JetBrains
  • Visual Studio
  • Visual Studio Code

As AI-assisted development becomes ubiquitous, plugin and extension security becomes a new attack surface.

Other Vendor Security Updates

Several vendors released February 2026 advisories:

  • Adobe (Audition, After Effects, InDesign, Substance 3D, Lightroom Classic)
  • Cisco (Secure Web Appliance, Meeting Management)
  • Fortinet (FortiOS, FortiSandbox)
  • SAP (two critical fixes)
  • BeyondTrust (Critical RCE in Remote Support and PRA)

Additionally, U.S. cybersecurity agency CISA issued a binding directive requiring federal agencies to remove unsupported network edge devices.

Threat Landscape Assessment

The February 2026 Patch Tuesday highlights several trends:

1. Security Feature Bypass is Increasing

Bypassing security warnings (MoTW, OLE mitigations, MSHTML protections) is a common pre-exploitation step.

2. Privilege Escalation Remains Critical

EoP vulnerabilities represent nearly half the patches. Attackers frequently:

  • Gain initial access via phishing.
  • Escalate to SYSTEM.
  • Deploy ransomware or credential harvesters.

3. Hybrid Cloud is a Primary Target

Azure Arc, Confidential Containers, and DevOps Server flaws demonstrate the growing importance of cloud control plane security.

4. Attack Chains Are Becoming Modular

Many of this month’s vulnerabilities are ideal for chaining:

  • Bypass → RCE → EoP → Persistence

Recommended Mitigation Strategy

Immediate Actions

  • Deploy February cumulative updates.
  • Prioritize zero-days (Shell, MSHTML, Word, DWM, RDS).
  • Patch domain controllers and RDS hosts first.
  • Validate Secure Boot certificate update readiness.

Detection Enhancements

  • Monitor for new Administrator group additions.
  • Track unusual service configuration changes.
  • Detect suspicious shortcut (.lnk) execution.
  • Monitor Office spawning child processes.

Long-Term Hardening

  • Enforce attack surface reduction rules.
  • Disable NTLM where possible.
  • Harden RDP exposure.
  • Restrict OLE usage in Office via policy.

Conclusion

Microsoft’s February 2026 Patch Tuesday addresses 58 vulnerabilities across desktop, server, cloud, and developer ecosystems. With six actively exploited zero-days—three publicly disclosed—the urgency for patch deployment is high.

The dominance of elevation-of-privilege flaws and security feature bypass vulnerabilities demonstrates attackers’ continued focus on post-exploitation escalation and defense evasion.

Organizations should treat this month’s updates as a high-priority deployment cycle, particularly in environments with exposed RDP services, hybrid Azure deployments, and enterprise Office usage.

With Secure Boot certificate rotation underway and continued investment in defensive telemetry, Microsoft is addressing both immediate exploitation risks and longer-term trust infrastructure concerns.

Security teams should assume adversaries are actively weaponizing these vulnerabilities and respond accordingly.

CyberDefender