Microsoft Patch Tuesday, February 2026 Security Update Review
Microsoft’s February 2026 Patch Tuesday focuses on closing security gaps that attackers could exploit, reinforcing the importance of timely patching in enterprise environments. Here’s a quick breakdown of what you need to know.
This month’s release addresses 61 vulnerabilities, including five critical and 52 important-severity vulnerabilities.
In this month’s updates, Microsoft has addressed six zero-day vulnerabilities that have been exploited in the wild.
Microsoft addressed one vulnerability in Microsoft Edge (Chromium-based) that was patched earlier this month.
Microsoft Patch Tuesday, February edition, includes updates for vulnerabilities in Microsoft Exchange Server, Microsoft Graphics Component, Windows NTLM, Windows Remote Access Connection Manager, Windows Remote Desktop, and more.
From elevation of privilege flaws to remote code execution risks, this month’s patches are essential for organizations aiming to maintain a robust security posture.
The February 2026 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 7 | Important: 6 |
| Denial of Service Vulnerability | 3 | Important: 3 |
| Elevation of Privilege Vulnerability | 25 | Critical: 3 Important: 22 |
| Information Disclosure Vulnerability | 6 | Critical: 2 Important: 4 |
| Remote Code Execution Vulnerability | 12 | Important: 12 |
| Security Feature Bypass Vulnerability | 5 | Important: 5 |
Zero-day Vulnerabilities Patched in February Patch Tuesday Edition
CVE-2026-21519: Desktop Windows Manager Elevation of Privilege Vulnerability
Desktop Window Manager is a system service in Windows (Vista and later) that enables visual effects such as transparency, window animations, and live taskbar thumbnails via GPU hardware acceleration.
A type confusion flaw in the Desktop Window Manager may allow an authenticated attacker to elevate privileges locally. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
CVE-2026-21533: Windows Remote Desktop Services Elevation of Privilege Vulnerability
Windows Remote Desktop Services (RDS) is a Microsoft Windows Server technology that allows users to securely access virtualized desktops, applications, and resources from any device, anywhere.
An improper privilege management flaw in Windows Remote Desktop could allow an authenticated attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
CVE-2026-21510: Windows Shell Security Feature Bypass Vulnerability
The Windows Shell is the primary interface for users to interact with the Windows operating system, encompassing visible elements like the Desktop, Taskbar, and Start Menu.
A failure in the Windows Shell protection mechanism may allow an unauthenticated attacker to bypass a network security feature. An attacker must convince a user to open a malicious link or shortcut file to exploit the vulnerability.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
CVE-2026-21514: Microsoft Word Security Feature Bypass Vulnerability
An attacker must send a user a malicious Office file and convince them to open it to exploit the vulnerability.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
CVE-2026-21525: Windows Remote Access Connection Manager Denial of Service Vulnerability
Windows Remote Access Connection Manager is a core Windows service that manages dial-up and Virtual Private Network connections, allowing user computers to securely connect to remote networks, corporate resources, or other devices.
A null pointer dereference in Windows Remote Access Connection Manager could allow an unauthenticated attacker to deny service locally.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
CVE-2026-21513: MSHTML Framework Security Feature Bypass Vulnerability
The MSHTML Framework (also known as Trident) is a proprietary browser engine developed by Microsoft. It is a software component that renders web pages and other HTML content within applications running on Microsoft Windows.
A failure in the MSHTML Framework protection mechanism could allow an unauthenticated attacker to bypass a security feature over a network.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Critical Severity Vulnerabilities Patched in February Patch Tuesday Edition
CVE-2026-24300: Azure Front Door Elevation of Privilege Vulnerability
Microsoft mentioned in the advisory, “This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.”
CVE-2026-21522: Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability
A command injection flaw in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. Upon successful exploitation, an attacker could execute arbitrary commands within the affected ACI container’s context, thereby running code with the same privileges as the compromised container.
CVE-2026-23655: Microsoft ACI Confidential Containers Information Disclosure Vulnerability
Upon successful exploitation of the vulnerability, an attacker could disclose the secret tokens and keys.
CVE-2026-24302: Azure Arc Elevation of Privilege Vulnerability
As per the Microsoft advisory, “This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.”
CVE-2026-21532: Azure Function Information Disclosure Vulnerability
As per the Microsoft advisory, “This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.”
Other Microsoft Vulnerability Highlights
- CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing.
- CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
- CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Win32K – GRFX, Microsoft Edge for Android, Windows Notepad App, Windows GDI+, .NET and Visual Studio, Windows Kernel, Azure Local, Power BI, Windows HTTP.sys, Windows Connected Devices Platform Service, Windows Ancillary Function Driver for WinSock, Windows Subsystem for Linux, Windows LDAP – Lightweight Directory Access Protocol, Role: Windows Hyper-V, Windows Cluster Client Failover, Mailslot File System, GitHub Copilot and Visual Studio, Microsoft Office Excel, Microsoft Office Word, Windows Storage, Windows Shell, Microsoft Office Outlook, Azure DevOps Server, Internet Explorer, Github Copilot, Windows App for Mac, .NET, Desktop Window Manager, Azure Compute Gallery, Azure IoT SDK, Azure HDInsights, Azure SDK, Azure Function, Microsoft Defender for Linux, Azure Front Door (AFD), Azure Arc, and Microsoft Edge (Chromium-based).
Visit the February 2026 Security Updates to access the full description of each vulnerability and the systems it affects.
Qualys customers can scan their networks with QIDs 110517, 110518, 110519, 386526, 386527, 50145, 92350, 92351, 92352, 92353, 92354, 92355, 92356, 92357, 92358, 92359, 92360, 92361 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://msrc.microsoft.com/update-guide
https://msrc.microsoft.com/update-guide/releaseNote/2026-Feb
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21522
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23655
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24302
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21532
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21533
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21519
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21510
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21514
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21525
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-21513
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-24300
Comments are closed.