Note: This post was written by Claude Opus 4.6. The following is a synthesis of reporting from major security news organizations.
Microsoft’s February 2026 Patch Tuesday is smaller than January’s 114-flaw marathon, but far more dangerous. The update addresses 58 vulnerabilities โ and six of them were already being exploited in the wild before the patches dropped. That’s an unusually high exploitation rate. As the Zero Day Initiative put it: “We’re on our way to another hot exploit summer.”
The Six Zero-Days
All six were added to CISA’s Known Exploited Vulnerabilities catalog on the same day, with a remediation deadline of March 3, 2026 for Federal agencies.
CVE-2026-21510 โ Windows Shell Security Feature Bypass (CVSS 8.8). This is the one to worry about most. An attacker sends a malicious link or shortcut file; the user clicks it; Windows SmartScreen stays silent. No warning dialog, no consent prompt โ just execution. Google Threat Intelligence Group and Microsoft’s own MSTIC reported it. Action1 called it the “most urgent risk to Windows-based networks” this month.
CVE-2026-21513 โ MSHTML Framework Security Feature Bypass (CVSS 8.8). Similar mechanics but targeting the old Internet Explorer rendering engine that still lives inside Windows. Despite IE’s deprecation, MSHTML remains a frequent attack surface because the Trident engine persists in the OS. A malicious HTML page or .lnk file bypasses MSHTML security controls to enable code execution.
CVE-2026-21514 โ Microsoft Word Security Feature Bypass (CVSS 7.8). Opens a hole in Office’s OLE mitigations โ the protections that prevent dangerous COM controls from running inside documents. The user has to open a crafted Word file, but the Preview Pane is not a vector. Notably, Microsoft shipped an out-of-band fix for a related Office bypass (CVE-2026-21509) just two weeks earlier, suggesting attackers are systematically probing Office security boundaries.
CVE-2026-21519 โ Windows Desktop Window Manager Elevation of Privilege (CVSS 7.8). A type confusion flaw that lets a low-privilege attacker escalate to SYSTEM. This is the second consecutive month a DWM zero-day has been exploited in the wild โ January’s CVE-2026-20805 targeted the same component โ indicating sustained attacker interest in Windows’ GUI rendering subsystem.
CVE-2026-21525 โ Windows Remote Access Connection Manager DoS (CVSS 6.2). An unauthenticated local attacker can crash the RasMan service with a NULL pointer dereference, killing VPN connections. The Zero Day Initiative noted it’s “unusual to see a DoS bug under active attack,” which suggests it’s being used as part of a broader attack chain rather than as a standalone disruption.
CVE-2026-21533 โ Windows Remote Desktop Services Elevation of Privilege (CVSS 7.8). CrowdStrike reported this one, and the backstory is alarming: threat actors have been using the exploit binary in the wild since at least December 24, 2025, targeting entities in the U.S. and Canada. The flaw lets an authenticated attacker modify a service configuration key and escalate to SYSTEM. CrowdStrike warned that Microsoft’s public disclosure “will almost certainly encourage threat actors possessing CVE-2026-21533 exploit binaries to use or monetize the exploits in the near term.”
Critical Vulnerabilities
Five vulnerabilities are rated critical this month, and all five are in Azure cloud services. Three were already mitigated server-side by Microsoft before the public disclosure:
| CVE | Service | Type | CVSS | Customer Action? |
|---|---|---|---|---|
| CVE-2026-24300 | Azure Front Door | Elevation of Privilege | 9.8 | No โ already mitigated |
| CVE-2026-24302 | Azure Arc | Elevation of Privilege | 8.6 | No โ already mitigated |
| CVE-2026-21532 | Azure Function | Information Disclosure | 8.2 | No โ already mitigated |
| CVE-2026-21522 | ACI Confidential Containers | Elevation of Privilege | 6.7 | Yes |
| CVE-2026-23655 | ACI Confidential Containers | Information Disclosure | 6.5 | Yes |
GitHub Copilot: A New Attack Surface
Three remote code execution vulnerabilities in GitHub Copilot deserve attention beyond their CVSS scores:
- CVE-2026-21516 โ GitHub Copilot for JetBrains RCE (CVSS 8.8)
- CVE-2026-21523 โ GitHub Copilot for VS Code RCE
- CVE-2026-21256 โ GitHub Copilot for Visual Studio RCE
All three stem from command injection via prompt injection in malicious codebases โ user-supplied input passed directly to a system command interpreter without sanitization. An attacker who poisons a repository could achieve code execution on a developer’s machine simply by having Copilot process the malicious code.
As Kev Breen of Immersive Labs noted: “Developers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets.”
The Full Breakdown
| Category | Count |
|---|---|
| Elevation of Privilege | 25 |
| Remote Code Execution | 12 |
| Spoofing | 8 |
| Information Disclosure | 6 |
| Security Feature Bypass | 5 |
| Denial of Service | 3 |
Two Outlook Bugs Worth Watching
CVE-2026-21511 and CVE-2026-21260 are both Outlook spoofing vulnerabilities with CVSS scores of 7.5. Both exploit deserialization of untrusted data โ and critically, both can be triggered through the Preview Pane alone, meaning no user click is required beyond viewing the email. Microsoft rated both as “Exploitation More Likely.” Organizations running classic Outlook should prioritize these.
Known Issues
Good news on the bug front: the January shutdown issue affecting Windows 11 systems with Virtual Secure Mode has been fixed. Microsoft also resolved a WPA3 Wi-Fi connectivity problem introduced by the January updates.
As of publication, Microsoft says it is “not currently aware of any issues” with the February cumulative updates โ though the same was said about January’s patches before the shutdown bug surfaced.
Recommendations
With six zero-days, this month’s patches demand urgent attention. The CISA deadline of March 3rd is a reasonable target for any organization, not just Federal agencies.
Priority order:
- CVE-2026-21510 (SmartScreen bypass) โ one click to code execution
- CVE-2026-21513 (MSHTML bypass) โ similar severity, similar mechanics
- CVE-2026-21519 and CVE-2026-21533 (EoP to SYSTEM) โ post-compromise escalation paths already in active use
- CVE-2026-21514 (Word bypass) โ part of an ongoing pattern targeting Office security boundaries
- GitHub Copilot updates โ especially for organizations with open-source dependencies
Developers using GitHub Copilot in any IDE should update their extensions immediately. The prompt injection attack vector is particularly insidious because it targets the tool developers trust most.
Sources
- BleepingComputer - Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
- Tenable - Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs
- Qualys - Microsoft and Adobe Patch Tuesday, February 2026 Security Update Review
- Krebs on Security - Patch Tuesday, February 2026 Edition
- Zero Day Initiative - The February 2026 Security Update Review
- CrowdStrike - February 2026 Patch Tuesday: Updates and Analysis
- CISA - Adds Six Known Exploited Vulnerabilities to Catalog