Microsoft today released security updates addressing 58 vulnerabilities across its products, including fixes for six actively exploited zero-day flaws. The February 2026 Patch Tuesday updates cover Windows, Microsoft Office, and core system components, with a significant focus on addressing critical security risks.
Among the vulnerabilities addressed are five rated “Critical,” three of which involve elevation of privilege flaws, and two that expose information. The largest category of fixes targets 25 elevation of privilege vulnerabilities, followed by 12 addressing remote code execution risks. Other vulnerabilities patched include 5 security feature bypasses, 6 information disclosures, 7 spoofing vulnerabilities, and 3 denial of service flaws.
Three of the zero-day vulnerabilities – CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 – were publicly disclosed prior to the release of the updates, increasing the urgency for users to apply the patches. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited when no official fix is available.
One of the actively exploited vulnerabilities, CVE-2026-21510, affects Windows Shell and allows attackers to bypass security features by tricking users into opening malicious links or shortcut files. Microsoft attributes the discovery of this flaw to a collaborative effort involving the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, Google Threat Intelligence Group, and an anonymous researcher. The company warns that successful exploitation could allow attackers to bypass Windows SmartScreen and Shell security prompts, enabling the execution of attacker-controlled content without user consent.
Another actively exploited flaw, CVE-2026-21513, impacts the MSHTML Framework and allows attackers to bypass security features over a network. Details regarding the exploitation of this vulnerability remain limited. The discovery of this flaw was also credited to MSTIC, MSRC, the Office Product Group Security Team, and Google Threat Intelligence Group.
Microsoft has also patched CVE-2026-21514, a security feature bypass vulnerability in Microsoft Word. Exploitation requires attackers to send malicious Office files to users and convince them to open them. Microsoft notes that the flaw cannot be exploited within the Office Preview Pane.
Further zero-day vulnerabilities addressed include CVE-2026-21519, an elevation of privilege flaw in the Desktop Window Manager, CVE-2026-21525, a denial of service vulnerability in the Windows Remote Access Connection Manager, and CVE-2026-21533, an elevation of privilege vulnerability in Windows Remote Desktop Services. The discovery of CVE-2026-21519 was attributed to MSTIC and MSRC, CVE-2026-21525 to the 0patch vulnerability research team, and CVE-2026-21533 to the Advanced Research Team at CrowdStrike.
Beyond security fixes, Microsoft has begun a phased rollout of updated Secure Boot certificates, replacing those issued in 2011 that are set to expire in late June 2026. The updates include targeting data to identify devices capable of receiving the latest certificates, ensuring a safe and phased rollout.
Microsoft has also released cumulative updates for Windows 11 (KB5077181 & KB5075941) and an extended security update for Windows 10 (KB5075912) alongside the security patches. A separate update addressed three Microsoft Edge flaws fixed earlier this month, which are not included in the 58 vulnerability count.
