Microsoft’s February 2026 Patch Tuesday delivers security fixes for 58 distinct vulnerabilities, including six that were actively exploited and three that had already been publicly disclosed. The update bundle also addresses five issues Microsoft rates as “Critical,” comprised of three elevation-of-privilege bugs and two information-disclosure flaws. In parallel, Microsoft has started a phased rollout of replacement Secure Boot certificates to supplant 2011-era keys that expire in late June 2026. Administrators are advised to review and apply updates promptly across affected systems.
Key Takeaways
- Microsoft released fixes for 58 vulnerabilities on February 2026 Patch Tuesday, six of which were actively exploited in the wild.
- Three of the six actively exploited issues were also publicly disclosed: CVE-2026-21513, CVE-2026-21510, and CVE-2026-21514.
- Five vulnerabilities were classified as Critical — three elevation-of-privilege and two information-disclosure issues — requiring prioritised attention.
- Vulnerability category totals: 25 elevation-of-privilege, 12 remote code execution, 6 information disclosure, 5 security feature bypass, 3 denial of service, and 7 spoofing.
- Microsoft began a staged replacement of Secure Boot certificates; devices will receive new certificates after reporting sufficient successful updates.
- Notable attributions: MSTIC, MSRC, Google Threat Intelligence Group, CrowdStrike, and ACROS Security/0patch contributed to discovery or reporting.
- Patch list excludes three Microsoft Edge fixes that were addressed earlier in February 2026 and are not counted in today’s total.
Background
Microsoft’s monthly Patch Tuesday remains a focal point for system defenders because it consolidates many fixes in a predictable cadence. Over recent years, attackers have increasingly targeted widely deployed components such as Office, Windows Shell, and Remote Desktop Services, turning some disclosures into active exploitation before patches arrive. That trend has pressured both vendors and enterprise administrators to accelerate detection and deployment processes.
In this cycle, Microsoft again combined platform-level kernel and service patches with fixes affecting cloud and developer tools (Azure components, GitHub Copilot integrations). The coordinated disclosures and attributions reflect collaboration between vendor security teams (MSTIC, MSRC), third-party researchers (Google Threat Intelligence Group, CrowdStrike), and private security vendors (ACROS/0patch).
Main Event
February’s update addresses six actively exploited vulnerabilities spanning security feature bypasses, elevation of privilege, and denial of service. Key Windows components patched include Windows Shell (CVE-2026-21510), MSHTML (CVE-2026-21513), and Microsoft Word (CVE-2026-21514), each of which Microsoft says has been observed in exploitation or public disclosure prior to remediation.
Microsoft describes CVE-2026-21510 as a Windows Shell security feature bypass that can be triggered when a user opens a specially crafted link or shortcut; the vendor warns that a successful exploit can bypass SmartScreen and other Shell prompts. CVE-2026-21513 is an MSHTML protection failure exploitable over a network, while CVE-2026-21514 affects OLE mitigations in Office and requires a user to open a malicious Office file.
Privilege-escalation fixes include CVE-2026-21519 in Desktop Window Manager and CVE-2026-21533 in Remote Desktop Services, the latter reported by CrowdStrike and observed being used to add an administrative user. The Remote Access Connection Manager DoS issue (CVE-2026-21525), reported by ACROS Security with 0patch, was found in a public malware repository and led to emergency attention before Microsoft issued a patch.
Microsoft also clarified that three of the six zero-days were publicly disclosed prior to patching and that additional context on exploitation for CVE-2026-21533 and CVE-2026-21525 was added on 2026-02-10. The company continues to limit technical details in advisories to avoid aiding attackers while still communicating risk and remediation steps.
Analysis & Implications
Having six actively exploited vulnerabilities fixed in a single month is notable but not unprecedented. Attackers frequently focus on components that can be triggered remotely or via user interaction (email attachments, malicious links). The presence of multiple elevation-of-privilege fixes is important because such bugs let an attacker with a foothold escalate to SYSTEM or administrator privileges and thereby expand impact inside networks.
The phased Secure Boot certificate rollout signals Microsoft preparing for an infrastructure-level change: 2011 certificates expire in late June 2026, and replacing them requires care to avoid bricking devices or disrupting update pipelines. Microsoft’s approach — issuing new certificates only after devices demonstrate successful update signals — reduces risk during deployment but places a premium on administrators keeping systems current so they qualify for the certificate update.
From a vendor ecosystem perspective, the list shows cross-product exposure: Azure services, development SDKs, GitHub integrations, Office apps, and core Windows subsystems. Organizations operating mixed environments should prioritise RCE and elevation-of-privilege patches for externally facing and high-privilege systems, and validate compensating controls such as network segmentation and least-privilege policies.
Finally, public reporting and third-party micropatch efforts (for example, 0patch) continue to influence timelines. While unofficial mitigations can provide short-term protection, enterprises should treat vendor-supplied fixes as the authoritative remedial action and test updates before broad deployment.
Comparison & Data
| Vulnerability Category | Count |
|---|---|
| Elevation of Privilege | 25 |
| Security Feature Bypass | 5 |
| Remote Code Execution | 12 |
| Information Disclosure | 6 |
| Denial of Service | 3 |
| Spoofing | 7 |
This breakdown highlights that elevation-of-privilege remains the largest single category in this update (25 of 58). Remote code execution — often prioritised by defenders — accounts for 12 entries. The table excludes three Microsoft Edge fixes patched earlier in February that are not counted in the 58 reported here.
Reactions & Quotes
“With this update, Windows quality updates include a broad set of targeting data that identifies devices and their ability to receive new Secure Boot certificates,” Microsoft noted in Windows 11 update documentation.
Microsoft (Windows 11 update notes)
“We found an exploit for this issue in December 2025 in a public malware repository while searching for an exploit for CVE-2025-59230,”
Mitja Kolsek, ACROS Security / 0patch (comment to BleepingComputer)
“The CVE-2026-21533 exploit binary modifies a service configuration key … which could enable adversaries to escalate privileges to add a new user to the Administrator group,”
Adam Meyers, CrowdStrike (statement to BleepingComputer)
These statements indicate vendor transparency about risk and root cause while limiting detailed exploitation techniques. Third-party researchers stressed that the presence of exploit code in public repositories accelerates both defensive and offensive activity.
Unconfirmed
- Whether CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 were exploited together in a single coordinated campaign remains unclear.
- The full extent and targeting of exploitation for CVE-2026-21525 (Remote Access Connection Manager DoS) and CVE-2026-21533 (RDP elevation) are not yet publicly documented beyond initial reports.
- Attribution of observed exploit usage for several fixes has not been publicly assigned to a specific threat actor as of publication.
Bottom Line
February’s Patch Tuesday is substantive: 58 total fixes with six actively exploited issues, several affecting core Windows components and common productivity software. Administrators should prioritise deployment for externally reachable services, endpoint applications that process untrusted content (Office, MSHTML), and systems hosting privileged accounts.
Concurrently, organisations must prepare for the Secure Boot certificate transition by ensuring devices are updated and monitoring rollout signals. Combine timely patching with compensating controls — network segmentation, multifactor authentication for privileged accounts, and monitoring for post-exploitation indicators — to reduce risk while the ecosystem absorbs these fixes.
Sources
- BleepingComputer (industry news report)
- Microsoft (official advisories and Windows 11 update notes)
- 0patch / ACROS Security (research blog / vendor disclosure)
- CrowdStrike (security vendor research / advisory)