BACK TO NEWS
ResearchCritical

Microsoft Patches 50+ Vulnerabilities in February 2026 Patch Tuesday, Including Six Zero-Days

3 min readSource: Krebs on Security
CVE-2026-21510CVE-2026-21513CVE-2026-21514CVE-2026-21533CVE-2026-21519CVE-2026-21525CVE-2026-21509CVE-2026-21516CVE-2026-21523CVE-2026-21256
Windows Update settings screen showing February 2026 Patch Tuesday security updates being applied

Microsoft’s February 2026 Patch Tuesday addresses over 50 vulnerabilities, six actively exploited zero-days, and critical flaws in Windows, Office, and AI tools like GitHub Copilot.

Microsoft Releases Critical Patches for Six Actively Exploited Zero-Days in February 2026 Update

Microsoft has released its February 2026 Patch Tuesday updates, addressing more than 50 security vulnerabilities across its Windows operating systems and other software. Notably, the update includes fixes for six zero-day vulnerabilities that are already being exploited in the wild, posing significant risks to enterprises and individual users alike.

Key Vulnerabilities and Technical Details

Among the most critical flaws patched this month are:

  • CVE-2026-21510 – A security feature bypass in Windows Shell that allows attackers to execute malicious code with a single click, bypassing user consent dialogs. Affects all supported Windows versions.
  • CVE-2026-21513 – A security bypass in MSHTML, the rendering engine for Internet Explorer and legacy Windows applications.
  • CVE-2026-21514 – A related security feature bypass in Microsoft Word, enabling attackers to execute arbitrary code.
  • CVE-2026-21533 – A privilege escalation flaw in Windows Remote Desktop Services (RDS), allowing local attackers to gain SYSTEM-level access.
  • CVE-2026-21519 – An elevation of privilege vulnerability in the Desktop Window Manager (DWM), a core Windows component. Microsoft patched a separate DWM zero-day just last month.
  • CVE-2026-21525 – A denial-of-service (DoS) vulnerability in the Windows Remote Access Connection Manager, which could disrupt VPN connections to corporate networks.

Additionally, Microsoft addressed three remote code execution (RCE) vulnerabilities in GitHub Copilot and integrated development environments (IDEs), including:

These AI-related flaws stem from command injection vulnerabilities triggered via prompt injection attacks, where malicious inputs manipulate AI agents into executing unauthorized commands.

Impact Analysis

The six actively exploited zero-days highlight the urgency of patching, as threat actors are already leveraging these flaws in targeted attacks. The Windows Shell (CVE-2026-21510) and MSHTML (CVE-2026-21513) vulnerabilities are particularly concerning due to their potential for drive-by attacks and phishing campaigns.

The privilege escalation flaws (CVE-2026-21533, CVE-2026-21519) could allow attackers with limited access to escalate to SYSTEM privileges, enabling full control over compromised systems. Meanwhile, the DoS vulnerability (CVE-2026-21525) in the Remote Access Connection Manager poses risks to enterprise VPN infrastructure, potentially disrupting remote work.

The AI-related RCE vulnerabilities (CVE-2026-21516, CVE-2026-21523, CVE-2026-21256) are especially critical for developers and DevOps teams, as compromised IDEs or AI agents could lead to supply chain attacks or exfiltration of sensitive credentials.

Recommendations for Security Teams

  1. Prioritize Patching – Immediately apply the February 2026 updates, focusing on the six zero-days and AI-related RCE flaws.
  2. Test Before Deployment – Enterprise admins should test patches in non-production environments, monitoring resources like AskWoody for potential issues.
  3. Enforce Least Privilege – Restrict AI agent and IDE access to minimize exposure if credentials are compromised.
  4. Monitor for Exploitation – Use EDR/XDR solutions to detect post-exploitation activity, particularly for privilege escalation attempts.
  5. Backup Critical Data – Ensure backups are up-to-date before applying patches to mitigate potential disruptions.
  6. Educate Developers – Raise awareness about prompt injection risks in AI tools and enforce secure coding practices.

For a detailed breakdown of all patched vulnerabilities, security teams can refer to the SANS Internet Storm Center’s analysis.

Microsoft’s February 2026 Patch Tuesday underscores the growing sophistication of cyber threats, from zero-day exploits to AI-driven attack vectors. Organizations must remain vigilant, applying patches swiftly while maintaining robust detection and response capabilities.

Share

TwitterLinkedIn