BLOG Featured Recent Video Category Start Free Trial February 2026 Patch Tuesday: Six Zero-Days Among 59 CVEs Patched February 10, 2026 | Falcon Exposure Management Team | Exposure Management Microsoft has addressed 59 vulnerabilities in its February 2026 security update release. These include six actively exploited vulnerabilities, three of which were publicly known, and five Critical vulnerabilities. February 2026 Risk Analysis This month's leading risk types by exploitation technique are elevation of privilege with 25 patches (42%), remote code execution (RCE) with 12 patches (20%), and spoofing with 8 patches (14%). Figure 1. Breakdown of February 2026 Patch Tuesday exploitation techniques Microsoft Windows received the most patches this month with 32, followed by ESU with 25. Figure 2. Breakdown of product families affected by February 2026 Patch Tuesday Actively Exploited Zero-Day Vulnerability in Windows Remote Desktop CVE-2026-21533 is an Important elevation of privilege vulnerability affecting Windows Remote Desktop Services and has a CVSS score of 7.8. Microsoft has confirmed this vulnerability is being actively exploited in the wild but had not been publicly disclosed. CrowdStrike identified and reported this vulnerability to Microsoft. The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group. CrowdStrike Intelligence retrospective hunting has revealed that threat actors had used this binary in the wild to target U.S. and Canada-based entities since at least December 24, 2025. CrowdStrike Intelligence assesses that Microsoft's public disclosure of CVE-2026-21533 will almost certainly encourage threat actors possessing CVE-2026-21533 exploit binaries, as well as any exploit brokers possessing the underlying exploit, to use or monetize the exploits in the near term. CrowdStrike customers can learn more details in CSA-260174. Table 1. Important actively exploited zero-day vulnerability in Windows Remote Desktop Severity CVSS Score CVE Description Important 7.8 CVE-2026-21533 Windows Remote Desktop Services Elevation of Privilege Vulnerability Actively Exploited and Publicly Disclosed Zero-Day Vulnerability in MSHTML Framework CVE-2026-21513 is an Important security feature bypass vulnerability affecting MSHTML Framework and has a CVSS score of 8.8. Microsoft has confirmed this vulnerability is being actively exploited in the wild and had been publicly disclosed. The vulnerability allows remote attackers with no privileges to bypass security prompts when executing files by convincing users to open malicious HTML files or shortcut (.lnk) files delivered via social engineering. The specially crafted files manipulate browser and Windows Shell handling, causing content to be executed by the operating system without proper security warnings. This bypass can potentially lead to code execution with high impact to confidentiality, integrity, and availability. The vulnerability requires user interaction but has low attack complexity, and affects multiple versions of Windows 10, Windows 11, and Windows Server systems dating back to Server 2012. Table 2. Important actively exploited and publicly disclosed zero-day vulnerability in MSHTML Framework Severity CVSS Score CVE Description Important 8.8 CVE-2026-21513 MSHTML Framework Security Feature Bypass Vulnerability Actively Exploited and Publicly Disclosed Zero-Day Vulnerability in Windows Shell CVE-2026-21510 is an Important security feature bypass vulnerability affecting Windows Shell and has a CVSS score of 8.8. Microsoft has confirmed this vulnerability is being actively exploited in the wild and had been publicly disclosed. The vulnerability allows remote attackers with no privileges to bypass Windows SmartScreen and Windows Shell security prompts by convincing users to open malicious links or shortcut files. The specially crafted files exploit improper handling in Windows Shell components, causing attacker-controlled content to be executed without user warning or consent. This bypass can lead to code execution. The attack requires user interaction, but complexity is low, making it readily exploitable through social engineering techniques. Table 3. Important actively exploited and publicly disclosed zero-day vulnerability in Windows Shell Severity CVSS Score CVE Description Important 8.8 CVE-2026-21510 Windows Shell Security Feature Bypass Vulnerability Actively Exploited and Publicly Disclosed Zero-Day Vulnerability in Microsoft Word CVE-2026-21514 is an Important security feature bypass vulnerability affecting Microsoft Word and has a CVSS score of 7.8. Microsoft confirmed this vulnerability is being actively exploited in the wild and had been publicly disclosed. The vulnerability allows local attackers with no privileges to bypass OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Microsoft Office by convincing users to open malicious Office files. The specially crafted files exploit reliance on untrusted inputs in security decisions, allowing vulnerable COM/OLE controls to execute without proper protection. This bypass can lead to code execution with high impact to confidentiality, integrity, and availability, but the vulnerability requires user interaction. The attack complexity is low, making it readily exploitable through social engineering techniques such as phishing emails with malicious attachments. The Preview Pane is not an attack vector for this vulnerability. Table 4. Important actively exploited and publicly disclosed zero-day vulnerability in Microsoft Word Severity CVSS Score CVE Description Important 7.8 CVE-2026-21514 Microsoft Word Security Feature Bypass Vulnerability Actively Exploited Zero-Day Vulnerability in Desktop Window Manager CVE-2026-21519 is an Important elevation of privilege vulnerability affecting Desktop Window Manager and has a CVSS score of 7.8. Microsoft confirmed this vulnerability is being actively exploited in the wild but had not been publicly disclosed. The vulnerability allows local attackers with low privileges to elevate to SYSTEM privileges through a type confusion flaw in Desktop Window Manager. The specially crafted exploit accesses resources using incompatible types, enabling unauthorized privilege escalation. The vulnerability requires no user interaction and has low attack complexity, making it an attractive target for attackers that have already gained initial access to a system. Despite unproven public exploit code, active exploitation has been detected in the wild, indicating threat actors possess working exploits for this zero-day vulnerability. Table 5. Important actively exploited zero-day vulnerability in Desktop Window Manager Severity CVSS Score CVE Description Important 7.8 CVE-2026-21519 Desktop Window Manager Elevation of Privilege Vulnerability Actively Exploited Zero-Day Vulnerability in Windows Remote Access Connection Manager CVE-2026-21525 is a Moderate denial of service vulnerability affecting Windows Remote Access Connection Manager and has a CVSS score of 6.2. Microsoft confirmed this vulnerability is being actively exploited in the wild but had not been publicly disclosed. The vulnerability allows local attackers with no privileges to cause a denial of service through a null pointer dereference in Windows Remote Access Connection Manager. The vulnerability requires no user interaction and has low attack complexity, enabling attackers to disrupt system availability. Despite unproven public exploit code, active exploitation has been detected in the wild, indicating threat actors possess working exploits. Table 6. Moderate actively exploited zero-day vulnerability in Windows Remote Access Connection Manager Severity CVSS Score CVE Description Moderate 6.2 CVE-2026-21525 Windows Remote Access Connection Manager Denial of Service Vulnerability Three Critical Vulnerabilities in Microsoft Azure CVE-2026-24300 is a Critical elevation of privilege vulnerability affecting Azure Front Door and has a CVSS score of 9.8. The vulnerability allows remote attackers with no privileges to elevate privileges through improper access control in Azure Front Door. The vulnerability requires no user interaction and has low attack complexity. Microsoft has proactively remediated this vulnerability within the Azure cloud infrastructure without requiring any customer intervention. This CVE is published for transparency as part of Microsoft's commitment to disclosing cloud service vulnerabilities. Azure Arc users are automatically protected with no patches or configuration changes necessary. CVE-2026-24302 is a Critical elevation of privilege vulnerability affecting Azure Arc and has a CVSS score of 8.6. The vulnerability allows remote attackers with no privileges to elevate privileges through improper access control in Azure Arc. The vulnerability requires no user interaction, has low attack complexity, and features a changed scope with potential for high confidentiality impact. As a cloud service vulnerability, Microsoft has already deployed fixes across the Azure platform, eliminating the risk without requiring customer action. This CVE is published for transparency as part of Microsoft's commitment to disclosing cloud service vulnerabilities. Azure Arc users are automatically protected with no patches or configuration changes necessary. CVE-2026-21532 is a Critical information disclosure vulnerability affecting Azure Function and has a CVSS score of 8.2. The vulnerability allows remote attackers with no privileges to access sensitive information through exposure of sensitive information to unauthorized actors in Azure Function. The vulnerability requires no user interaction, has low attack complexity, and could result in high confidentiality impact and low integrity impact. Microsoft resolved this vulnerability through backend infrastru