Table of Contents Microsoft Patch Tuesday forFebruary2026 Adobe Patches for February 2026 Zero-day Vulnerabilities Patched inFebruaryPatch Tuesday Edition Critical Severity Vulnerabilities Patched inFebruaryPatch Tuesday Edition Other Microsoft Vulnerability Highlights Microsoft Release Summary Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR) Rapid Response with TruRisk Eliminate Qualys Monthly Webinar Series Microsoft’s February 2026 Patch Tuesday focuses on closing security gaps that attackers could exploit, reinforcing the importance of timely patching in enterprise environments. Here’s a quick breakdown of what you need to know. Microsoft Patch Tuesday for February 2026 This month’s release addresses 61 vulnerabilities, including five critical and 52 important-severity vulnerabilities. In this month’s updates, Microsoft has addressed six zero-day vulnerabilities that have been exploited in the wild. Microsoft addressed one vulnerability in Microsoft Edge (Chromium-based) that was patched earlier this month. Microsoft Patch Tuesday, February edition, includes updates for vulnerabilities in Microsoft Exchange Server, Microsoft Graphics Component, Windows NTLM, Windows Remote Access Connection Manager, Windows Remote Desktop, and more. From elevation of privilege flaws to remote code execution risks, this month’s patches are essential for organizations aiming to maintain a robust security posture. The February 2026 Microsoft vulnerabilities are classified as follows: Vulnerability Category Quantity Severities Spoofing Vulnerability 7 Important: 6 Denial of Service Vulnerability 3 Important: 3 Elevation of Privilege Vulnerability 25 Critical: 3 Important: 22 Information Disclosure Vulnerability 6 Critical: 2 Important: 4 Remote Code Execution Vulnerability 12 Important: 12 Security Feature Bypass Vulnerability 5 Important: 5 Adobe Patches for February 2026 Adobe has released nine security advisories to address 44 vulnerabilities in Adobe Audition, Adobe After Effects, Adobe InDesign Desktop, Adobe Substance 3D Designer, Adobe Substance 3D Stager, Adobe Bridge, Adobe Substance 3D Modeler, Adobe Lightroom Classic, and Adobe DNG SDK. 27 of these vulnerabilities are given critical severity ratings. Successful exploitation of these vulnerabilities may lead to arbitrary code execution. Zero-day Vulnerabilities Patched in February Patch Tuesday Edition CVE-2026-21519: Desktop Windows Manager Elevation of Privilege Vulnerability Desktop Window Manager is a system service in Windows (Vista and later) that enables visual effects such as transparency, window animations, and live taskbar thumbnails via GPU hardware acceleration. A type confusion flaw in the Desktop Window Manager may allow an authenticated attacker to elevate privileges locally. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog . CISA urges users to patch the vulnerability before March 3, 2026. CVE-2026-21533: Windows Remote Desktop Services Elevation of Privilege Vulnerability Windows Remote Desktop Services (RDS) is a Microsoft Windows Server technology that allows users to securely access virtualized desktops, applications, and resources from any device, anywhere. An improper privilege management flaw in Windows Remote Desktop could allow an authenticated attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog . CISA urges users to patch the vulnerability before March 3, 2026. CVE-2026-21510: Windows Shell Security Feature Bypass Vulnerability The Windows Shell is the primary interface for users to interact with the Windows operating system, encompassing visible elements like the Desktop, Taskbar, and Start Menu. A failure in the Windows Shell protection mechanism may allow an unauthenticated attacker to bypass a network security feature. An attacker must convince a user to open a malicious link or shortcut file to exploit the vulnerability. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog . CISA urges users to patch the vulnerability before March 3, 2026. CVE-2026-21514: Microsoft Word Security Feature Bypass Vulnerability An attacker must send a user a malicious Office file and convince them to open it to exploit the vulnerability. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog . CISA urges users to patch the vulnerability before March 3, 2026. CVE-2026-21525: Windows Remote Access Connection Manager Denial of Service Vulnerability Windows Remote Access Connection Manager is a core Windows service t