PATCH Tuesday in February 2026 saw Microsoft release patches to fix more than 50 security holes across Windows and related software, including fixes for six zero-day vulnerabilities that attackers are already exploiting in the wild.
According to Microsoft, the zero-days include CVE-2026-21510, a security feature bypass in Windows Shell; CVE-2026-21513 and CVE-2026-21514 affecting MSHTML and Microsoft Word respectively; CVE-2026-21533 enabling local privilege escalation in Windows Remote Desktop Services; CVE-2026-21519 in the Desktop Window Manager; and CVE-2026-21525, a potentially disruptive denial-of-service in the Windows Remote Access Connection Manager.
The update also patches further remote code execution flaws tied to GitHub Copilot and multiple IDEs, with CVEs 21516, 21523 and 21256 cited by Kev Breen of Immersive. Chris Goettl of Ivanti notes that Microsoft has issued several out-of-band security updates since January’s Patch Tuesday, while Breen warns about the risk to developers who hold API keys and other secrets in AI-enabled workflows. According to SANS Internet Storm Center, a breakdown of each fix is available, and admins are advised to back up data before rolling updates out.