Microsoft's February 2026 Patch Tuesday: Addressing Six Actively Exploited Zero-Days

Microsoft released its February 2026 Patch Tuesday updates, addressing 58 vulnerabilities, including six zero-day flaws under active exploitation. This release also includes three additional zero-days that were publicly disclosed prior to patching. Dustin Childs from Trend Micro’s Zero Day Initiative raised concerns over whether this signals “another ‘hot exploit summer’” or merely an anomaly.

Key Actively Exploited Vulnerabilities

• CVE-2026-21510: A security feature bypass vulnerability in Windows SmartScreen.
• CVE-2026-21513: A security feature bypass vulnerability in the MSHTML framework.

Details on CVE-2026-21510: Windows SmartScreen Vulnerability

CVE-2026-21510 exploits Windows SmartScreen to bypass security protections by tricking users into opening specifically crafted links or shortcut files. This enables attacker-controlled content to execute without triggering SmartScreen or shell-based warnings, effectively bypassing Mark of the Web protections.

• Discovered by: Microsoft Threat Intelligence Center, Microsoft Security Response Center, the Office Product Group Security Team, Google Threat Intelligence Group, and an anonymous researcher.
• Impact: Malicious files from the internet execute without warning dialogs, significantly lowering barriers for exploitation through phishing links.

Details on CVE-2026-21513: MSHTML Framework Vulnerability

Operating within the MSHTML framework, this flaw allows attackers to bypass execution prompts when users interact with malicious files over a network. Exploitation requires user interaction, such as opening a malicious HTML file or clicking a shortcut delivered via email, link, or download.

• Impact: Despite Microsoft Edge's migration to Chromium, MSHTML remains embedded in Windows shell components and third-party applications, creating a persistent attack surface.
• Requirements: Exploitation does not require attacker privileges but does necessitate user interaction.

Other Actively Exploited Zero-Days

• CVE-2026-21514: A vulnerability in Microsoft Word and Microsoft 365 bypassing OLE mitigations, allowing code execution via malicious Office documents.
• CVE-2026-21519: A privilege escalation vulnerability in Desktop Window Manager, granting SYSTEM-level access to local attackers.
• CVE-2026-21525: A denial-of-service vulnerability caused by a null pointer dereference, enabling attackers to crash systems and disrupt operations.
• CVE-2026-21533: A privilege escalation vulnerability in Windows Remote Desktop Services, affecting systems with RDP enabled.

These vulnerabilities collectively target critical components like Microsoft Word, Desktop Window Manager, and Remote Desktop Services, emphasizing the breadth of Microsoft's enterprise integration.

Patch Tuesday Summary

The February 2026 security release addresses:

• 25 Elevation of Privilege vulnerabilities
• 12 Remote Code Execution vulnerabilities
• 7 Spoofing vulnerabilities
• 6 Information Disclosure vulnerabilities
• 5 Security Feature Bypass vulnerabilities
• 3 Denial of Service vulnerabilities

Although the total number of vulnerabilities (58) is significantly lower than January 2026’s 112 CVEs, the proportion of actively exploited vulnerabilities has risen sharply. This reflects a shift in attacker methodology from indiscriminate scanning to targeted exploitation of security controls.

Government Response and Mandates

In response to active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. Federal civilian executive branch agencies are required to patch these vulnerabilities within 21 days of catalog publication, with a deadline of March 3, 2026.

Private sector enterprises must also act quickly, as federal mandates often set a de facto standard for patching timelines. The challenge lies in balancing patch deployment with operational continuity, especially in high-stakes environments.

Microsoft's Security Commitment Under Scrutiny

Despite Microsoft’s public declaration in November 2025 that security is its top priority, the release of six actively exploited zero-days highlights ongoing challenges in securing its software platforms. Cory Simpson, Senior Advisor to the Cyberspace Solarium Commission, emphasized that true security leadership requires baseline hygiene and resilience-by-design, including diversified dependencies and architectures capable of operating under persistent vulnerability discovery.

Recommendations for Organizations

Security researchers urge immediate deployment of the February 2026 patches, with priority given to CVE-2026-21510 and CVE-2026-21513 due to their wide attack surface and active exploitation.

1. Patch affected systems, including Windows 10, Windows 11, Windows Server 2019, 2022, and 2025.
2. Review endpoints for signs of compromise related to SmartScreen and MSHTML bypass attempts.
3. Prioritize patching internet-facing systems and endpoints with high user interaction rates.

Both CVE-2026-21510 and CVE-2026-21513 rely on social engineering for initial compromise. Security teams must act swiftly, as every day without patches increases the risk of successful exploitation through phishing campaigns that bypass security warnings.

Conclusion

With active exploitation ongoing and federal mandates in place, organizations face a critical decision: deploy patches immediately, accepting potential operational disruptions, or risk further breaches as attackers refine their techniques. The February 2026 Patch Tuesday underscores the evolving threat landscape and the urgency of proactive security measures.