Microsoft's latest security update for February is substantial, addressing a total of 58 vulnerabilities, including six critical zero-day flaws. A zero-day vulnerability refers to a security gap that has been either actively exploited or publicly disclosed before a solution is provided by the developer.
According to reports, the identified security issues fall into various categories: 25 elevation-of-privilege vulnerabilities, five security feature bypass vulnerabilities, 12 remote code execution vulnerabilities, six information disclosure vulnerabilities, three denial of service vulnerabilities, and seven spoofing vulnerabilities. Notably, three of the elevation-of-privilege vulnerabilities and two information disclosure vulnerabilities have been classified as "critical."
Typically, Patch Tuesday updates are launched at 10 am PT on the second Tuesday of each month, with devices automatically receiving these updates. This month's update also includes Secure Boot certificate updates for certificates expiring in June 2023.
Six Critical Zero-Day Vulnerabilities Resolved
This February, three of the six zero-day vulnerabilities addressed are related to security feature bypass:
CVE-2026-21510: This vulnerability in the Windows Shell enables an attacker to execute content without alerting the user, provided the user opens a malicious link or shortcut file.
CVE-2026-21513: This flaw in the MSHTML Framework allows unauthorized access to bypass a security feature via a network. Details on its exploitation have not been disclosed.
CVE-2026-21514: This Microsoft Word vulnerability permits an attacker to bypass OLE mitigations in Microsoft 365 and Office after a user opens a malicious file.
All three vulnerabilities have been reported by the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, and Google Threat Intelligence Group, along with contributions from an anonymous researcher for CVE-2026-21510 and CVE-2026-21514.
Additionally, two of the zero-day vulnerabilities are elevation-of-privilege flaws. CVE-2026-21519 pertains to a Desktop Windows Manager flaw that allows an attacker to gain SYSTEM privileges, while CVE-2026-21533 relates to a Windows Remote Desktop Services flaw that enables local privilege elevation. The former was attributed to MSTIC and MSRC, while the latter was discovered by the Advanced Research Team at CrowdStrike.
Lastly, CVE-2026-21525 is a denial of service vulnerability within the Windows Remote Access Connection Manager, allowing unauthorized local denial of service. This flaw was identified by the ACROS Security team in collaboration with 0patch and was reportedly found in a public malware repository in December 2025.
