Microsoft rolls out important security updates on the second Tuesday of each month, known as Patch Tuesday. This month, the updates address 59 Microsoft CVEs, including 6 zero-day vulnerabilities.
Here is a quick overview of the six zero-day vulnerabilities that are currently being exploited.
Windows Shell Security Feature Bypass Vulnerability
CVE-2026-21510 (CVSS score 8.8 out of 10) is a security feature bypass in Windows Shell. If an attacker convinces someone to open a malicious link or shortcut file, they can trigger Windows Smart Screen and similar security prompts.
This vulnerability can be exploited over the network, but it still requires user action. The attacker tricks the victim into opening a harmful shortcut or link. If successful, the attacker can hide the usual iOS security warnings, making it easier to deliver and run more malicious files without the user noticing.
MSHTML Framework Security Feature Bypass Vulnerability
CVE-2026-21513, (CVSS score: 8.8/10) Affects the MSHTML framework, which is used for web rendering in Internet Explorer. This flaw is a failure of a network protection mechanism that allows attackers to circumvent network security features.
To exploit this, the attacker needs the victim to open a malicious HTML file or a typically crafted shortcut that uses MSHTML. Once opened, the attacker can bypass some security checks in MSHTML, potentially weakening browser or Office protections, and enabling further attacks or phishing.
Microsoft Word: Security Feature Bypass Vulnerability
CVE2026-21519 (CVSS score 7.8 out of 10) is a local elevation of privilege/vulnerability in Windows Desktop/Window Manager. It is caused by type confusion in which the system mistakenly treats one type of data as another, leading to unanticipated behavior.
An attacker who is already locked in with low privileges can exploit this issue without needing the user to do anything. They must run a program or exploit on the target system. If successful, the attacker could gain system-level privileges.
Windows Remote Access Connection Manager Denial of Service Vulnerability
CVE-2025-21525 (CVSS score 6.2 out of 10) is a denial-of-service vulnerability in the Windows Remote Access Connection Manager (RasMan) service.
A local attacker who is not logged in can easily exploit this flaw. It can crash the service or even the whole system, but it does not allow the attacker to gain additional privileges or run malicious code.
Windows Remote Desktop Services Elevation of Privilege Vulnerability
CVE-2026-21533 (CVSS Score: 7.8 out of 10) is an elevation-of-privilege vulnerability in Windows Remote Desktop Services. It is caused by improper management of user privileges.
An attacker with low-privilege credentials can exploit this flaw without user assistance. They can run their own code on a system and remote desktop services and use the vulnerability to gain system privileges, fully compromising the system.
Azure users should also be aware of two serious vulnerabilities, each with a CVSS score of 9.8.
- CVE-2026-21531 affecting Azure SDK
- CVE-2026-24300 affecting Azure Front Door
How to apply fixes and check these updates
These updates fix security issues and help keep your Windows PC safe. Here is how you can check that your system is up to date.
Open the settings. Click on the Start button, which is the Windows logo at the bottom left of your screen.
Click on settings, which looks like a small gear icon.
Go to the Windows Update.
In the settings window, choose Windows Update. You will usually find it at the bottom of the menu on the left.
Look for updates.
Click the “Search for updates” button.
Windows will now look for the latest Patch Tuesday updates.
If you turned on Windows updates before, you might see this in your update library.
Or you might see a message saying “Restart Required”. If so, reboot your computer to complete the update!
If you don’t see that, keep following the steps below.
Download and install.
If updates are available, they will start downloading automatically. When they are done, you will see a button that says “Install” or “Restart now.”
Install if needed. Follow any instructions. Your computer will likely need to restart to finish the update. If so, click Restart now.
Verify you are up to date.
After restarting, return to Windows Update and verify again. If it says you are up to date, you are good to go.
Source: February 2026 Patch Tuesday includes six actively exploited zero-days
