Bright Nexus

Published on March 10, 2026

Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws

Severity

High

Detail

Microsoft released its February 2026 Patch Tuesday security updates addressing 58 vulnerabilities across Windows operating systems and related software components. This Patch Tuesday release also addresses five vulnerabilities rated Critical, including several Elevation of Privilege and Information Disclosure flaws.

The update includes six zero-day vulnerabilities actively exploited in the wild, which may allow attackers to bypass security protections, escalate privileges, or cause denial-of-service conditions. Several vulnerabilities require user interaction, such as opening malicious files or links, but exploitation could lead to system compromise or unauthorized privilege escalation.

CVE IDVulnerability TypeImpactCVSS Score
CVE-2026-21510Security Feature BypassAllows attackers to bypass Windows SmartScreen protections8.8 (High)
CVE-2026-21513Security Feature BypassEnables attackers to bypass MSHTML security protections8.8 (High)
CVE-2026-21514Security Feature BypassExploitation through malicious Microsoft Word / OLE documents7.8 (High)
CVE-2026-21519Elevation of PrivilegeAllows attackers to gain SYSTEM-level privileges locally7.8 (High)
CVE-2026-21525Denial of ServiceNull pointer dereferences causing service crash6.5 (Medium)
CVE-2026-21533Elevation of PrivilegeAllows authenticated attackers to escalate privileges7.8 (High)

Affected Products

The vulnerabilities affect multiple products and components from Microsoft, including the following operating systems, applications, and Windows components:

Operating Systems

  • Windows 10 (all supported versions)
  • Windows 11
  • Windows Server 2019
  • Windows Server 2022

Microsoft Applications

  • Microsoft Office
  • Microsoft Word

Windows Components

  • Windows Shell (SmartScreen protection mechanism)
  • MSHTML Platform (Trident rendering engine)
  • Desktop Window Manager (DWM)
  • Remote Desktop Services (RDS)
  • Windows Remote Access Connection Manager
  • Object Linking and Embedding (OLE) components

Recommendation

Organizations and users should treat this update as high priority and ensure patches are deployed promptly across all affected systems.

  1. Apply February 2026 Patch Tuesday updates immediately through:
    • Windows Update
    • Windows Server Update Services
    • Microsoft Endpoint Configuration Manager
  2. Verify the installation of the February 2026 security patches on all endpoints and servers.
  3. Prioritize patching for the following systems:
    • Internet-facing Windows servers
    • Systems running Remote Desktop Services
    • End-user workstations used for email and document handling
  4.   Restrict or monitor Remote Desktop access on servers and workstations where possible.
  5.   Implement email filtering and endpoint protection controls to block malicious Office documents and shortcut files that could trigger exploitation.

Source

https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2026-patch-tuesday-fixes-6-zero-days-58-flaws