On 10 February 2026, Microsoft released its monthly Patch Tuesday, fixing 58 vulnerabilities across its platforms. The standout of this batch is the presence of six actively exploited zero-days, three of which were publicly disclosed before a patch was available, plus five flaws rated as critical. For any enterprise infrastructure or home setup running Windows, this is one of the most relevant rollups of the year given the real-world exploitation pressure.
What was fixed
The breakdown of the 58 vulnerabilities by category is as follows:
- 25 elevation of privilege flaws
- 12 remote code execution (RCE)
- 7 spoofing
- 6 information disclosure
- 5 security feature bypass
- 3 denial of service
Of the five critical flaws, three are elevation of privilege and two are information disclosure.
The six exploited zero-days
The most urgent part of this batch is the six zero-days already being abused in real attacks:
- CVE-2026-21510 (Windows Shell): security feature bypass that evades SmartScreen and Mark-of-the-Web. A single click on a crafted shortcut runs attacker content with no warnings.
- CVE-2026-21513 (MSHTML framework): a protection-mechanism bypass over the network. It has been linked to APT28 activity via malicious HTML files or
.lnkshortcuts. - CVE-2026-21514 (Microsoft Word/Office): bypasses the OLE mitigations designed to protect against vulnerable COM/OLE controls; it requires opening a crafted document.
- CVE-2026-21519 (Desktop Window Manager): elevation of privilege to SYSTEM on an already-compromised host.
- CVE-2026-21525 (Remote Access Connection Manager): denial of service via null-pointer dereference.
- CVE-2026-21533 (Remote Desktop Services): privilege escalation allowing users to be added to the Administrators group and reach SYSTEM.
Several of these identifiers appear in CISA’s KEV (Known Exploited Vulnerabilities) catalog, which forces U.S. federal agencies to patch within set deadlines and serves as a priority signal for any organization.
Who is affected and severity
Exposure spans practically the whole Windows ecosystem: desktops, Windows Server, Office/Microsoft 365 and remote-desktop components. Because the zero-days focus on bypassing protections (SmartScreen, Mark-of-the-Web, OLE mitigations) and on privilege escalation, they fit typical attack chains: the attacker gains initial access through a malicious file or link and then escalates to SYSTEM. That makes them especially dangerous in environments where users open mail and attachments daily.
Mitigation
The recommendation is clear: apply the February 2026 Windows updates as soon as possible, prioritizing Internet-facing systems and those running Remote Desktop Services. Verify that Windows Update has completed and reboot the machines. In the meantime, keeping SmartScreen and Office mitigations active and being wary of shortcuts and documents from untrusted sources reduces the attack surface.
Microsoft also began rolling out updated Secure Boot certificates to replace the 2011-era ones expiring at the end of June 2026. The deployment is phased based on successful-update signals; it should not be postponed to avoid secure-boot problems later.
Source
- BleepingComputer: Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws