Microsoft Patch Tuesday February 2026 addressed 54 vulnerabilities including six zero-days across Windows, Office, Azure services, Exchange Server, and developer tools.
The latest patch update, rollout is notable not only for its smaller size but for the presence of six zero-day vulnerabilities that were already being exploited in active attacks before patch availability. As part of the 2026 patch Tuesday, the release carries heightened urgency for enterprise defenders and system administrators.
Microsoft Patch Tuesday February has Six New Zero-Day Fixes
The most critical aspect of this Microsoft Patch Tuesday February update is the confirmation that six vulnerabilities were under active exploitation. These flaws impact core Windows components and productivity applications widely deployed in enterprise environments.
The actively exploited zero-days are:
- CVE-2026-21510: Windows Shell Security Feature Bypass (Severity: Important; CVSS 7.8)
- CVE-2026-21513: MSHTML Platform Security Feature Bypass (Important; CVSS 7.5)
- CVE-2026-21514: Microsoft Word Security Feature Bypass (Important; CVSS 7.8)
- CVE-2026-21519: Desktop Window Manager Elevation of Privilege (Important; CVSS 7.8)
- CVE-2026-21525: Windows Remote Access Connection Manager Denial of Service (Important; CVSS 7.5)
- CVE-2026-21533: Windows Remote Desktop Services Elevation of Privilege (Important; CVSS 7.8)
CVE-2026-21510 allows attackers to bypass the Mark of the Web (MoTW) mechanism in Windows Shell, preventing users from seeing security warnings on files downloaded from the internet. CVE-2026-21513, affecting the MSHTML engine, enables malicious shortcut or file-based payloads to bypass prompts and execute code without user awareness. CVE-2026-21514 similarly permits crafted Microsoft Word files to evade OLE mitigation protections.
Privilege escalation vulnerabilities are also prominent. CVE-2026-21519 involves a type confusion flaw in the Desktop Window Manager that can grant attackers SYSTEM-level privileges. CVE-2026-21533 affects Windows Remote Desktop Services, allowing authenticated attackers to elevate privileges due to improper privilege handling. Meanwhile, CVE-2026-21525 can trigger a null pointer dereference in Windows Remote Access Connection Manager, leading to denial-of-service conditions by crashing VPN connections.
Vulnerability Distribution and Impact
Beyond the zero-days, Microsoft Patch Tuesday resolves a broad range of additional issues. Of the 54 vulnerabilities fixed, Elevation of Privilege (EoP) flaws account for 25. Remote Code Execution (RCE) vulnerabilities total 12, followed by 7 spoofing issues, 6 information disclosure flaws, 5 security feature bypass vulnerabilities, and 3 denial-of-service issues.
High-risk vulnerabilities affecting enterprise infrastructure include:
- CVE-2026-21527: Microsoft Exchange Server Spoofing Vulnerability (Critical; potential RCE vector)
- CVE-2026-23655: Azure Container Instances Information Disclosure (Critical)
- CVE-2026-21518: GitHub Copilot / Visual Studio Remote Code Execution (Important)
- CVE-2026-21528: Azure IoT SDK Remote Code Execution (Important)
- CVE-2026-21531: Azure SDK Vulnerability (Important; CVSS 9.8)
- CVE-2026-21222: Windows Kernel Information Disclosure (Important)
- CVE-2026-21249: Windows NTLM Spoofing Vulnerability (Moderate)
- CVE-2026-21509: Microsoft Office Security Feature Bypass (Important)
Azure-related services received multiple fixes, including Azure Compute Gallery (CVE-2026-21522 and CVE-2026-23655), Azure Function (CVE-2026-21532; CVSS 8.2), Azure Front Door (CVE-2026-24300; CVSS 9.8), Azure Arc (CVE-2026-24302; CVSS 8.6), Azure DevOps Server (CVE-2026-21512), and Azure HDInsights (CVE-2026-21529).
Exchange Server remains a particularly sensitive asset in enterprise networks. CVE-2026-21527 highlights continued risks to messaging infrastructure, which has historically been a prime target for remote code execution and post-exploitation campaigns.
Additional CVEs and Exploitability Ratings
The official advisory states: “February 2026 Security Updates. This release consists of the following 59 Microsoft CVEs.” Among them:
- CVE-2023-2804: Windows Win32K – GRFX (CVSS 6.5; Exploitation Less Likely)
- CVE-2026-0391: Microsoft Edge for Android (CVSS 6.5; Exploitation Less Likely)
- CVE-2026-20841: Windows Notepad App (CVSS 8.8; Exploitation Less Likely)
- CVE-2026-20846: Windows GDI+ (CVSS 7.5)
- CVE-2026-21218: .NET and Visual Studio (CVSS 7.5; Exploitation Unlikely)
- CVE-2026-21231: Windows Kernel (CVSS 7.8; Exploitation More Likely)
- CVE-2026-21232: Windows HTTP.sys (CVSS 7.8)
- CVE-2026-21255: Windows Hyper-V (CVSS 8.8)
- CVE-2026-21256 and CVE-2026-21257: GitHub Copilot and Visual Studio
- CVE-2026-21258–21261: Microsoft Office Excel and Word
- CVE-2026-21537: Microsoft Defender for Linux (CVSS 8.8)
Microsoft also republished one non-Microsoft CVE: CVE-2026-1861, associated with Chrome and affecting Chromium-based Microsoft Edge.
Exploitability ratings range from “Exploitation Detected” and “Exploitation More Likely” to “Exploitation Less Likely” and “Exploitation Unlikely.” Most entries include FAQs, but workarounds and mitigations are generally listed as unavailable.
Lifecycle Notes, Hotpatching, and Known Issues
The advisory reiterates that Windows 10 and Windows 11 updates are cumulative and available through the Microsoft Update Catalog. Lifecycle timelines are documented in the Windows Lifecycle Facts Sheet. Microsoft is also continuing improvements to Windows Release Notes and provides servicing stack update details under ADV990001.
The Hotpatching feature is now generally available for Windows Server Azure Edition virtual machines. Customers using Windows Server 2008 or Windows Server 2008 R2 must purchase Extended Security Updates to continue receiving patches; additional information is available under 4522133.
Known issues tied to this 2026 Patch Tuesday release include:
- KB5075942: Windows Server 2025 Hotpatch
- KB5075897: Windows Server 23H2
- KB5075899: Windows Server 2025
- KB5075906: Windows Server 2022
Given the confirmed exploitation of multiple zero-days and the concentration of Elevation of Privilege and Remote Code Execution flaws, Microsoft Patch Tuesday 2026 represents a high-priority patch cycle. Organizations are advised to prioritize remediation of the six actively exploited vulnerabilities and critical infrastructure components, and to conduct rapid compatibility testing to reduce operational disruption.
