Microsoft’s February Patch Tuesday Update Fixes Six Zero-Day Exploits

Microsoft’s February security update is important. This latest “Patch Tuesday” fixes 58 vulnerabilities in total, six of which are zero-day flaws. As a reminder, a zero-day is a vulnerability that has either been actively exploited in the wild or publicly disclosed before an official patch is released by the developer.

As BleepingComputer reports, security vulnerabilities were found in the following categories: 25 elevation of privilege vulnerabilities, five security feature bypass vulnerabilities, 12 remote code execution vulnerabilities, six information disclosure vulnerabilities, three denial of service vulnerabilities, and seven spoofing vulnerabilities. Three of the elevation of privilege vulnerabilities and two of the information disclosure vulnerabilities are considered “critical.” (These numbers do not include the three Microsoft Edge vulnerabilities patched earlier in February.)

Patch Tuesday updates are typically released around 10 a.m. PT on the second Tuesday of each month, and your device should receive them automatically. BleepingComputer reports that this month’s release also includes Secure Boot certificate updates for 2011 certificates that expire in June.

Six zero days corrected in February

Three of the six zero-day vulnerabilities actively exploited and patched in February are security feature bypass vulnerabilities:

• CVE-2026-21510: This is a Windows shell flaw that allows an attacker to execute content without warning or user consent, although the user must open a malicious link or shortcut file.

• CVE-2026-21513: This MSHTML framework vulnerability allows an unauthorized attacker to bypass a security feature on a network. Microsoft has not released details on how this flaw was exploited.

• CVE-2026-21514: This vulnerability in Microsoft Word allows an attacker to bypass OLE mitigations in Microsoft 365 and Microsoft Office after a user opens a malicious Office file.

The three vulnerabilities above have been attributed to the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, and Google Threat Intelligence Group, as well as an anonymous researcher for CVE-2026-21510 and CVE-2026-21514.

Two of the zero days are elevation of privilege vulnerabilities. CVE-2026-21519 is a flaw in Desktop Windows Manager that allows an attacker to gain SYSTEM privileges, while CVE-2026-21533 is a flaw in Windows Remote Desktop Services that allows an attacker to elevate privileges locally. The former was attributed to MSTIC and MSRC, while the latter was discovered by CrowdStrike’s advanced research team.

Finally, CVE-2026-21525 is a denial of service vulnerability in Windows Remote Access Connection Manager that allows an unauthorized attacker to deny service locally. This flaw was discovered by the ACROS security team with 0patch; it was reportedly found in a public malware repository in December 2025.