Key Findings

• Microsoft released security updates to address 59 vulnerabilities, including 6 that are actively being exploited in the wild.

• Of the 59 flaws, 5 are rated Critical, 52 are rated Important, and 2 are rated Moderate in severity.

• 25 of the patched vulnerabilities are privilege escalation, followed by remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1).

• The 6 actively exploited vulnerabilities are:

• CVE-2026-21510 (CVSS 8.8) - Windows Shell protection mechanism failure allowing security bypass

• CVE-2026-21513 (CVSS 8.8) - MSHTML Framework security feature bypass

• CVE-2026-21514 (CVSS 7.8) - Microsoft Office Word reliance on untrusted inputs vulnerability

• CVE-2026-21519 (CVSS 7.8) - Windows Desktop Window Manager type confusion vulnerability

• CVE-2026-21525 (CVSS 6.2) - Windows Remote Access Connection Manager null pointer dereference

• CVE-2026-21533 (CVSS 7.8) - Windows Remote Desktop Services elevation of privilege

Background

The vulnerabilities addressed in this month's Patch Tuesday include a mix of remote code execution, privilege escalation, and security bypass flaws across various Microsoft products. Three of the actively exploited zero-days are security feature bypass vulnerabilities, which allow attackers to bypass built-in protections in Windows, Office, and other Microsoft software.

CVE-2026-21510: Windows Shell Protection Mechanism Failure

This vulnerability (CVSS 8.8) allows attackers to bypass security warnings and prompts by tricking users into opening crafted malicious links or shortcut files. It was discovered and reported by Google's Threat Analysis Group and Microsoft's internal security team.

CVE-2026-21513: MSHTML Framework Security Feature Bypass

A security feature bypass flaw (CVSS 8.8) in the MSHTML framework that can be exploited by attackers to bypass security controls and execute arbitrary code when a victim opens a malicious HTML page or LNK file. This vulnerability was also reported by Google TAG and Microsoft.

CVE-2026-21514: Microsoft Office Word Reliance on Untrusted Inputs

This vulnerability (CVSS 7.8) in Microsoft Office Word allows bypassing of OLE security mitigations, enabling malicious activity when a specially crafted Office document is opened. It was discovered by an anonymous researcher and Microsoft.

CVE-2026-21519 & CVE-2026-21533: Windows Privilege Escalation

These local privilege escalation flaws (CVSS 7.8) in the Windows Desktop Window Manager and Remote Desktop Services can be abused by attackers who have already gained initial access to a system to elevate their privileges to the SYSTEM level.

CVE-2026-21525: Windows Remote Access Connection Manager DoS

A denial-of-service vulnerability (CVSS 6.2) in the Windows Remote Access Connection Manager that can be exploited by local attackers to cause system crashes.

Mitigation and Recommendations

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all six actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to apply the fixes by March 3, 2026.

Private organizations are also strongly encouraged to review the KEV catalog and prioritize patching these critical vulnerabilities to protect their systems against potential exploitation.

Sources

• https://thehackernews.com/2026/02/microsoft-patches-59-vulnerabilities.html

• https://securityaffairs.com/187855/security/u-s-cisa-adds-microsoft-office-and-microsoft-windows-flaws-to-its-known-exploited-vulnerabilities-catalog.html

• https://cyberscoop.com/microsoft-patch-tuesday-february-2026/

• https://www.darkreading.com/vulnerabilities-threats/microsoft-fixes-6-actively-exploited-zero-days

• https://cyberinsider.com/microsoft-fixes-six-actively-exploited-flaws-in-latest-windows-11-update/