Microsoft February 2026 Patch Tuesday
Below∅Day Microsoft's February 2026 Patch Tuesday with six actively exploited and three publicly disclosed zero-day vulnerabilities.
[+] Microsoft Patch Tuesday
[+] February 2026 Security Updates
[+] Total of 61 Vulnerabilities
[-] 25 Elevation of Privilege [EoP]
[-] 5 Security Feature Bypass [FB]
[-] 12 Remote Code Execution [RCE]
[-] 6 Information Disclosure [ID]
[-] 3 Denial of Service [DoS]
[-] 7 Spoofing
[-] 3 Edge - Chromium
[+] 6 Exploited In The Wild
[-] CVE-2026-21519 - 7.8 - Desktop Window Manager:EoP
[-] CVE-2026-21533 - 7.8 - Windows Remote Desktop Services:EoP
[-] CVE-2026-21513 - 8.8 - MSHTML Framework Security:FB
[-] CVE-2026-21510 - 8.8 - Windows Shell Security:FB
[-] CVE-2026-21514 - 7.8 - Microsoft Word Security:FB
[-] CVE-2026-21525 - 6.2 - Windows Remote Access Connection Manager:DoS
[+] Highest Rated Vulnerabilities
[-] CVE-2026-21523 - 8.0 - GitHub Copilot and Visual Studio Code:RCE
[-] CVE-2026-21229 - 8.0 - Power BI:RCE
[-] CVE-2026-21513 - 8.8 - MSHTML Framework Security:FB
[-] CVE-2026-24300 - 9.8 - Azure Front Door:EoP
[-] CVE-2026-24302 - 8.6 - Azure Arc:EoP
[-] CVE-2026-21532 - 8.2 - Azure Function:ID
[-] CVE-2026-21531 - 9.8 - Azure SDK for Python:RCE
[-] CVE-2026-21510 - 8.8 - Windows Shell Security:FB
[-] CVE-2026-21537 - 8.8 - Microsoft Defender for Endpoint Linux Extension:RCE
[-] CVE-2026-21516 - 8.8 - GitHub Copilot for Jetbrains:RCE
[-] CVE-2026-21257 - 8.0 - GitHub Copilot and Visual Studio:EoP
[-] CVE-2026-21256 - 8.8 - GitHub Copilot and Visual Studio:RCE
[-] CVE-2026-21228 - 8.1 - Azure Local:RCE
[-] CVE-2026-20841 - 8.8 - Windows Notepad App:RCE
[-] CVE-2026-21255 - 8.8 - Windows Hyper-V Security:FB
[+] 5 Vulnerabilities More Likely To Be Exploited
[-] CVE-2026-21511 -- Microsoft Outlook:Spoofing
[-] CVE-2026-21253 -- Mailslot File System:EoP
[-] CVE-2026-21241 -- Windows Ancillary Function Driver for WinSock:EoP
[-] CVE-2026-21238 -- Windows Ancillary Function Driver for WinSock:EoP
[-] CVE-2026-21231 -- Windows Kernel:EoP
February’s release is a “drop everything” month: Microsoft’s February 2026 security updates include 6 vulnerabilities confirmed as exploited in the wild (i.e., active attacks observed), spanning EoP, Security Feature Bypass, and DoS. Microsoft's full report here.
--The 6 exploited CVEs--
1) CVE-2026-21519 — Desktop Window Manager (DWM) EoP (CVSS 7.8)
Why it matters: local authenticated attacker can elevate to SYSTEM (classic post-comp foothold → full takeover).
Patch priority: Highest on endpoints and VDI pools; assume it’ll be chained with phishing/RCE elsewhere.
2) CVE-2026-21533 — Windows Remote Desktop Services EoP (CVSS 7.8)
Why it matters: EoP in the RDS stack is especially concerning in environments with broad RDP use (jump boxes, admins, shared servers).
Patch priority: Highest for anything with RDS/RDP exposure (even if “internal only”).
3) CVE-2026-21513 — MSHTML Framework Security FB (CVSS 8.8)
Why it matters: exploitation involves tricking a user into opening a malicious HTML or shortcut (.lnk) file; Microsoft notes this was publicly disclosed and exploited.
Patch priority: Immediate on user endpoints (email/Teams download paths, helpdesk machines, shared kiosks).
4) CVE-2026-21510 — Windows Shell Security FB (CVSS 8.8)
Why it matters: shell bypass bugs tend to enable execution or weakening of protections by abusing how Windows handles content, files, or trust boundaries.
Patch priority: Immediate on endpoints and RDS hosts.
5) CVE-2026-21514 — Microsoft Word Security FB (CVSS 7.8)
Why it matters: requires convincing a user to open a crafted Office file; notably, Preview Pane is not an attack vector (still very patch-now).
Patch priority: Immediate anywhere Word is installed (workstations, terminal servers).
6) CVE-2026-21525 — Remote Access Connection Manager (RasMan) DoS (CVSS 6.2)
Why it matters: “just DoS” sounds tame, but active exploitation suggests it may be used for disruption, defense evasion, or as part of a larger chain. Tenable notes this was exploited and credits 0patch for reporting.
Patch priority: Fast on VPN/RAS-heavy fleets, always-on remote workforce endpoints, and servers providing remote access services.
--Patching Game Plan--
Tier 0 [patch within 24–48 hours]
CVE-2026-21513 (MSHTML), CVE-2026-21510 (Windows Shell), CVE-2026-21514 (Word)
Reason: these map cleanly to common initial-access paths (user interaction / file delivery).
Tier 1 [patch ASAP right after Tier 0]
CVE-2026-21519 (DWM EoP), CVE-2026-21533 (RDS EoP)
Reason: strong post-comp escalators; prioritize admin workstations, shared servers, jump hosts, VDI/RDS farms.
Tier 2 [patch quickly, schedule appropriately]
CVE-2026-21525 (RasMan DoS)
Reason: exploited activity means it’s operationally relevant even if impact class is “DoS.”
