Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws By Lawrence Abrams February 10, 2026 01:51 PM Today is Microsoft's February 2026 Patch Tuesday with security updates for 58 flaws, including 6 actively exploited and three publicly disclosed zero-day vulnerabilities. This Patch Tuesday also addresses five "Critical" vulnerabilities, 3 of which are elevation of privileges flaws and 2 information disclosure flaws. The number of bugs in each vulnerability category is listed below: 25 Elevation of Privilege vulnerabilities 5 Security Feature Bypass vulnerabilities 12 Remote Code Execution vulnerabilities 6 Information Disclosure vulnerabilities 3 Denial of Service vulnerabilities 7 Spoofing vulnerabilities When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include 3 Microsoft Edge flaws fixed earlier this month. As part of these updates, Microsoft has also begun to roll out updated Secure Boot certificates to replace the original 2011 certificates that are expiring in late June 2026. "With this update, Windows quality updates include a broad set of targeting data that identifies devices and their ability to receive new Secure Boot certificates," explains Microsoft in the Windows 11 update notes. "Devices will receive the new certificates only after they show sufficient successful update signals, which helps ensures a safe and phased rollout." To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5077181 & KB5075941 cumulative updates . 6 actively exploited zero-days This month's Patch Tuesday fixes six actively exploited vulnerabilities, three of which are publicly disclosed. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available. The six actively exploited zero-days are: CVE-2026-21510 - Windows Shell Security Feature Bypass Vulnerability Microsoft has patched an actively exploited Windows security feature bypass that can be triggered by opening a specially crafted link or shortcut file. "To successfully exploit this vulnerability, an attacker must convince a user to open a malicious link or shortcut file." explains Microsoft. "An attacker could bypass Windows SmartScreen and Windows Shell security prompts by exploiting improper handling in Windows Shell components, allowing attacker‑controlled content to execute without user warning or consent," continued Microsoft. While Microsoft has not shared further details, it likely allows attackers to bypass the Mark of the Web (MoTW) security warnings. Microsoft has attributed the discovery of the flaw to Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, Google Threat Intelligence Group, and an anonymous researcher. CVE-2026-21513 - MSHTML Framework Security Feature Bypass Vulnerability Microsoft has patched an actively exploited MSHTML security feature bypass flaw in Windows. "Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network," explains Microsoft. There are no details on how this was exploited. This flaw was once again attributed to Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, and Google Threat Intelligence Group. CVE-2026-21514 - Microsoft Word Security Feature Bypass Vulnerability Microsoft has patched a security feature bypass flaw in Microsoft Word that is actively exploited. "An attacker must send a user a malicious Office file and convince them to open it," warns Microsoft's advisory. "This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE control," continues Microsoft. Microsoft says that the flaw cannot be exploited in the Office Preview Pane. The flaw was again attributed to Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, Google Threat Intelligence Group, and an anonymous researcher. As no details have been released, it is unclear if CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 were exploited in the same campaign. CVE-2026-21519 - Desktop Window Manager Elevation of Privilege Vulnerability Microsoft has patched an actively exploited elevation of privileges flaw in the Desktop Window Manager. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," warns Microsoft. No details have been shared on how it was exploited. Microsoft has attributed the discovery of the flaw to Microsoft Threat Intelligence Center (MSTIC) & Microsoft Security Response Center (MSRC). CVE-2026-21525 - Windows Remote Access Connection Manager Denial of Service Vulnerability Microsoft fixed an actively exploited denial of service flaw in the Windows Remote Access Connection Manager. "Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally,' explains Microsoft. No details have been shared on why or how this flaw was exploited in attacks. Microsoft has attributed the discovery of the flaw to the 0patch vulnerability research team. CVE-2026-21533 - Windows Remote Desktop Services Elevation of Privilege Vulnerability Microsoft has fixed an elevation of privileges in Windows Remote Desktop Services. "Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally," explains Microsoft. No details have been shared on how this flaw was exploited. Microsoft has attributed the discovery of the flaw to the Advanced Research Team at CrowdStrike. Of the six zero-days, CVE-2026-21513, CVE-2026-21510, and CVE-2026-21514 were publicly disclosed. Recent updates from other companies Other vendors who released updates or advisories in February 2026 include: Adobe released security updates for Audition, After Effects, InDesign, Substance 3D, Adobe Lightroom Classic, and other software. None of the flaws are exploited. BeyondTrust released security updates for a critical RCE flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software. CISA issued a new binding operational directive requiring federal agencies to remove network edge devices that have reached the end of support. Cisco released security updates for Secure Web Appliance, Cisco Meeting Management, and more. Fortinet released security updates for FortiOS and FortiSandbox. Google has released Android's February security bulletin , which includes no security fixes. n8n fixed critical vulnerabilities that act as a patch bypass for the previously fixed CVE-2025-68613 RCE flaw. SAP released the February security updates for multiple products, including fixes for two critical vulnerabilities. While not a security update, Microsoft has started rolling out built-in Sysmon functionality in Windows 11 insider builds , which many Windows admins will find useful. The February 2026 Patch Tuesday Security Updates Below is the complete list of resolved vulnerabilities in the February 2026 Patch Tuesday updates. To access the full description of each vulnerability and the systems it affects, you can view the full report here . Tag CVE ID CVE Title Severity .NET CVE-2026-21218 .NET Spoofing Vulnerability Important Azure Arc CVE-2026-24302 Azure Arc Elevation of Privilege Vulnerability Critical Azure Compute Gallery CVE-2026-23655 Microsoft ACI Confidential Containers Information Disclosure Vulnerability Critical Azure Compute Gallery CVE-2026-21522 Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability Critical Azure DevOps Server CVE-2026-21512 Azure DevOps Server Cross-Site Scripting Vulnerability Important Azure Front Door (AFD) CVE-2026-24300 Azure Front Door Elevation of Privilege Vulnerability Critical Azure Function CVE-2026-21532 Azure Function Information Disclosure Vulnerability Critical Azure HDInsights CVE-2026-21529 Azure HDInsight Spoofing Vulnerability Important Azure IoT SDK CVE-2026-21528 Azure IoT Explorer Information Disclosure Vulnerability Important Azure Local CVE-2026-21228 Azure Local Remote Code Execution Vulnerability Important Azure SDK CVE-2026-21531 Azure SDK for Python Remote Code Execution Vulnerability Important Desktop Window Manager CVE-2026-21519 Desktop Window Manager Elevation of Privilege Vulnerability Important Github Copilot CVE-2026-21516 GitHub Copilot for Jetbrains Remote Code Execution Vulnerability Important GitHub Copilot and Visual Studio CVE-2026-21523 GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability Important GitHub Copilot and Visual Studio CVE-2026-21256 GitHub Copilot and Visual Studio Remote Code Execution Vulnerability Important GitHub Copilot and Visual Studio CVE-2026-21257 GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability Important GitHub Copilot and Visual Studio Code CVE-2026-21518 GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability Important Mailslot File System CVE-2026-21253 Mailslot File System Elevation of Privilege Vulnerability Important Microsoft Defender for Linux CVE-2026-21537 Microsoft Defender for Endpoint Linux Extension Remote Code Execution Vulnerability Important Microsoft Edge (Chromium-based) CVE-2026-1861 Chromium: CVE-2026-1861 Heap buffer overflow in libvpx Unknown Microsoft Edge (Chromium-based) CVE-2026-1862 Chromium: CVE-2026-1862 Type Confusion in V8 Unknown Microsoft Edge for Android CVE-2026-0391 Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability Moderate Microsoft Exchange Server CVE-2026-21527 Microsoft Exchange Server Spoofing Vulnerability Important Microsoft Graphics Component CVE-2026-21246 Windows Graphics Component Elevation of Privilege Vulnerability Important Mi