Microsoft’s February Patch Tuesday Update Patched Six Zero-Day Vulnerabilities.
Microsoft’s February security update is a major one. This latest “Patch Tuesday” patches a total of 58 vulnerabilities, six of which are zero-day vulnerabilities. A zero-day vulnerability is one that has either been actively exploited by attackers in the wild or was publicly disclosed before the developer officially released a patch.
As reported by BleepingComputer , vulnerabilities were discovered in the following categories: 25 privilege escalation vulnerabilities, five security feature bypass vulnerabilities, 12 remote code execution vulnerabilities, six information disclosure vulnerabilities, three denial of service vulnerabilities, and seven address spoofing vulnerabilities. Three of the privilege escalation vulnerabilities and two of the information disclosure vulnerabilities are considered “critical.” (These figures do not include the three Microsoft Edge vulnerabilities patched earlier in February.)
Patch Tuesday updates are typically released around 10 AM PT on the second Tuesday of each month, and your device should receive them automatically. BleepingComputer reports that Secure Boot certificate updates for 2011 certificates, which expire in June, have also been released this month.
Six zero-day vulnerabilities were patched in February.
Three of the six actively exploited zero-day vulnerabilities patched in February were vulnerabilities that allowed security features to be bypassed:
-
CVE-2026-21510 : A vulnerability in the Windows shell could allow an attacker to execute content without warning or obtaining the user’s consent, even though the user would need to open a malicious link or shortcut file to do so.
-
CVE-2026-21513 : This vulnerability in the MSHTML Framework allows an unauthorized attacker to bypass a network security feature. Microsoft did not provide details on how this vulnerability was exploited.
-
CVE-2026-21514 : This vulnerability in Microsoft Word allows an attacker to bypass OLE protections in Microsoft 365 and Microsoft Office after a user opens a malicious Office file.
All three of the above vulnerabilities were attributed to the Microsoft Threat Analysis Center (MSTIC), the Microsoft Security Response Center (MSRC), the Office Product Security Team, and the Google Threat Analysis Team, as well as an anonymous researcher working on CVE-2026-21510 and CVE-2026-21514.
Two of the zero-day vulnerabilities are privilege escalation vulnerabilities. CVE-2026-21519 is a vulnerability in Windows Desktop Manager that could allow an attacker to gain system privileges, and CVE-2026-21533 is a vulnerability in Windows Remote Desktop Services that could allow an attacker to escalate privileges locally. The former was discovered by MSTIC and MSRC, and the latter by the CrowdStrike Advanced Research Group.
Finally, CVE-2026-21525 is a denial of service vulnerability in Windows Remote Access Connection Manager that allows an unauthorized attacker to locally deny service. This vulnerability was discovered by the ACROS security team using 0patch and was reportedly found in a publicly available malware repository in December 2025.