Microsoft February 2026 Patch Tuesday Fixes 50+ Vulnerabilities, Including 6 Zero-Day Flaws

Microsoft has released its February 2026 Patch Tuesday security updates, fixing a total of 58 vulnerabilities across Windows, Microsoft Office, and core system components. The update includes patches for six actively exploited zero-day vulnerabilities—three of which were publicly disclosed prior to today—underscoring continued pressure on enterprises and consumers to apply security updates promptly.

According to Microsoft, the February release also resolves five vulnerabilities rated “Critical,” including three elevation of privilege flaws and two information disclosure bugs. Elevation of privilege issues once again dominate the update, accounting for nearly half of all vulnerabilities addressed this month.

Breakdown of Vulnerabilities

Microsoft’s February Patch Tuesday covers the following categories of security flaws:

3 Denial of Service vulnerabilities
5 Security Feature Bypass vulnerabilities
6 Information Disclosure vulnerabilities
7 Spoofing vulnerabilities
12 Remote Code Execution vulnerabilities
25 Elevation of Privilege vulnerabilities

The totals are consistent with recent Patch Tuesday releases, where privilege escalation bugs have increasingly become a favored technique among attackers seeking to turn initial access into full system compromise.

Secure Boot Certificate Rollout Begins

Beyond vulnerability fixes, Microsoft has also started a significant infrastructure change tied to Secure Boot. The February updates initiate a phased rollout of new Secure Boot certificates, replacing the original certificates issued in 2011 that are set to expire in late June 2026.

In the Windows 11 release notes, Microsoft explained that devices will receive the updated certificates gradually:

“Windows quality updates include a broad set of targeting data that identifies devices and their ability to receive new Secure Boot certificates. Devices will receive the new certificates only after they show sufficient successful update signals, which helps ensure a safe and phased rollout.”

The replacement of the aging certificates is considered critical to maintaining the integrity of Secure Boot, a foundational security feature that prevents malicious bootloaders and rootkits from loading during system startup.

The Six Actively Exploited Zero-Day Vulnerabilities

The most concerning aspect of this month’s Patch Tuesday is the remediation of six zero-day vulnerabilities that Microsoft confirmed were already being exploited in the wild. Microsoft defines a zero-day as a flaw that is either publicly disclosed or actively exploited before an official fix is available.

Three of the six zero-days addressed in February fall into both categories.

Windows Shell and MSHTML Feature Bypasses

Windows Shell Security Feature Bypass Vulnerability

One of the actively exploited flaws, CVE-2026-21510, affects Windows Shell and allows attackers to bypass security features by tricking users into opening specially crafted links or shortcut files. Microsoft warned that exploitation could allow attackers to evade Windows SmartScreen and other shell-based warnings, potentially enabling malicious code to execute without clear user consent. Security researchers believe the issue may be related to bypassing Mark of the Web (MoTW) protections, a common target in modern malware campaigns.

MSHTML Framework Security Feature Bypass Vulnerability

Another feature bypass vulnerability, CVE-2026-21513, impacts the MSHTML framework. While Microsoft has provided limited technical detail, it confirmed that the flaw enables attackers to bypass security mechanisms remotely. The lack of public information suggests the company may be attempting to limit further exploitation while customers deploy patches.

Both vulnerabilities were identified with assistance from Microsoft’s internal security teams as well as the Google Threat Intelligence Group.

Microsoft Word OLE Mitigation Bypass

Microsoft Word Security Feature Bypass Vulnerability

The third publicly disclosed zero-day, CVE-2026-21514, affects Microsoft Word and allows attackers to bypass Object Linking and Embedding (OLE) mitigations designed to block vulnerable COM/OLE controls. Successful exploitation requires convincing a user to open a malicious Office document, a technique frequently used in phishing and targeted attack campaigns.

Microsoft noted that the vulnerability cannot be exploited through the Office Preview Pane, reducing risk in some enterprise configurations. However, user interaction remains a significant attack vector, particularly in environments with high email volumes.

Privilege Escalation and Denial of Service Flaws

In addition to feature bypasses, Microsoft patched three zero-days involving privilege escalation and denial of service:

CVE-2026-21519, a Desktop Window Manager elevation of privilege vulnerability that could allow attackers to gain SYSTEM-level access.
CVE-2026-21525, a Windows Remote Access Connection Manager denial of service flaw caused by a null pointer dereference, reported by the 0patch research team.
CVE-2026-21533, an elevation of privilege vulnerability in Windows Remote Desktop Services, discovered by the Advanced Research Team at CrowdStrike.

Microsoft has not disclosed whether these vulnerabilities were exploited together or as part of separate campaigns, but security analysts note that chaining feature bypass and privilege escalation bugs is a common tactic in sophisticated attacks.

Industry and Research Collaboration

Several of the vulnerabilities patched this month were identified through collaboration between Microsoft’s internal security teams and external researchers. Contributions came from the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), the Office Product Group Security Team, and independent researchers, as well as industry partners such as Google Threat Intelligence Group and 0patch.

The vulnerability counts referenced in early reporting were compiled by Wiz, which continues to track trends across Patch Tuesday releases.

What Users and Organizations Should Do

Security professionals strongly recommend applying February’s updates as soon as possible, particularly in enterprise environments where privilege escalation and SmartScreen bypass vulnerabilities pose heightened risk. Systems exposed to phishing campaigns, remote desktop access, or high-risk user behavior should be prioritized.

Administrators are also encouraged to monitor Secure Boot certificate deployment status to ensure systems are prepared ahead of the June 2026 expiration deadline.

For users seeking more information on non-security fixes included in this release, Microsoft has also published cumulative updates for Windows 11 under KB5077181 and KB5075941.

As attackers continue to exploit zero-day vulnerabilities at a steady pace, February’s Patch Tuesday serves as another reminder that timely patching remains one of the most effective defenses against real-world cyber threats.