Microsoft released its February 2026 Patch Tuesday updates addressing a total of 59 Common Vulnerabilities and Exposures (CVEs), including six zero-day vulnerabilities actively exploited in the wild, according to CrowdStrike. The update impacts a wide range of Microsoft products and services, from Windows operating systems to Azure cloud offerings.
The vulnerabilities addressed range in severity, with two rated critical, 51 important, and one moderate. A significant portion of the patched vulnerabilities, 42.6%, are elevation of privilege (EoP) flaws, followed by remote code execution (RCE) vulnerabilities at 20.4%, as reported by Tenable. This month’s release includes fixes for components like .NET, Visual Studio, Azure Arc, and Microsoft Exchange Server.
The Cybersecurity and Infrastructure Security Agency (CISA) has added several of the patched vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging users to apply updates before March 3, 2026. These include CVE-2026-21519, a Desktop Window Manager elevation of privilege vulnerability; CVE-2026-21533, affecting Windows Remote Desktop Services; CVE-2026-21510, a Windows Shell security feature bypass; CVE-2026-21514, a Microsoft Word security feature bypass; CVE-2026-21525, a Windows Remote Access Connection Manager denial of service vulnerability; and CVE-2026-21513, a MSHTML Framework security feature bypass.
CVE-2026-21510, the Windows Shell vulnerability, allows an unauthenticated attacker to bypass network security features if a user opens a malicious link or shortcut file. CVE-2026-21519, impacting the Desktop Window Manager, could allow an authenticated attacker to gain SYSTEM privileges. Exploitation of CVE-2026-21533, in Windows Remote Desktop Services, could also grant an attacker SYSTEM privileges.
Several critical severity vulnerabilities were also patched, including CVE-2026-24300, affecting Azure Front Door. Microsoft stated this vulnerability has already been fully mitigated and no user action is required. Other critical vulnerabilities addressed include CVE-2026-21522, impacting Microsoft ACI Confidential Containers, and CVE-2026-23655, also related to Microsoft ACI Confidential Containers, which could allow attackers to disclose secret tokens and keys.
Beyond the core Windows operating system, updates were released for components including Microsoft Edge for Android, Windows Notepad App, Windows GDI+, Power BI, and Windows HTTP.sys. The Mailslot File System and Windows Ancillary Function Driver for WinSock also received patches addressing elevation of privilege vulnerabilities.
Adobe also released security advisories addressing 44 vulnerabilities across several products, including Adobe Audition, After Effects, and Photoshop, with 27 of those vulnerabilities classified as critical. Successful exploitation of these Adobe vulnerabilities could lead to arbitrary code execution.
Qualys has released QQL queries to help identify impacted hosts and deploy patches, and offers mitigations for 34 of the vulnerabilities. The next Patch Tuesday is scheduled for March 10, 2026.
