Today is Microsoft Patch Tuesday for February 2026. There are 59 vulnerabilities that have been addressed this time around. This month’s release is particularly noteworthy with six vulnerabilities being actively exploited in the wild, two critical-severity cloud service vulnerabilities, and multiple elevation of privilege flaws across core Windows components. Security feature bypass issues dominate the actively exploited set, with Windows Shell, MSHTML, and Microsoft Word all being targeted.

Notable Patch Tuesday vulnerabilities for February

• CVE-2026-21510 A security feature bypass vulnerability in Windows Shell that is actively exploited in the wild. The flaw stems from a protection mechanism failure that allows an attacker to bypass Windows SmartScreen and Shell security prompts. By convincing a user to open a malicious link or shortcut file, attacker-controlled content can execute without any user warning or consent. This vulnerability was publicly disclosed and has functional exploit code available.
• CVE-2026-21513 A security feature bypass vulnerability in the MSHTML Framework (Internet Explorer) that is also being actively exploited. An attacker can exploit this by convincing a user to open a malicious HTML file or shortcut (.lnk) file delivered through a link, email attachment, or download. The specially crafted file manipulates browser and Windows Shell handling, causing content to be executed by the operating system — effectively bypassing security prompts when executing files.
• CVE-2026-21514 A security feature bypass vulnerability in Microsoft Word that is being actively exploited with functional exploit code available. The flaw relies on untrusted inputs in a security decision, allowing an attacker to bypass OLE mitigations in Microsoft 365 and Microsoft Office that normally protect users from vulnerable COM/OLE controls. Exploitation requires sending a user a malicious Office file and convincing them to open it. The Preview Pane is not an attack vector.
• CVE-2026-21519 An elevation of privilege vulnerability in Desktop Window Manager that is actively exploited. The vulnerability is caused by a type confusion issue that allows an authenticated attacker to elevate privileges to SYSTEM locally.
• CVE-2026-21533 An elevation of privilege vulnerability in Windows Remote Desktop Services that is being actively exploited with functional exploit code available. Improper privilege management allows an authenticated attacker to escalate to SYSTEM privileges locally.
• CVE-2026-21525 A denial of service vulnerability in Windows Remote Access Connection Manager that is actively exploited. A null pointer dereference allows an unauthenticated attacker to cause a denial of service locally.

For more detailed information on these and other vulnerabilities, please refer to the release notes: https://msrc.microsoft.com/update-guide/releaseNote/2026-Feb

Need help addressing the above in your own organization? Speak to an Outpost24 expert.