FEBRUARY 2026 Patch Tuesday patches 59 Microsoft CVEs, with six of them described as actively exploited zero-days. The six zero-days span Windows Shell, MSHTML, Microsoft Word, Desktop Window Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services, and they carry CVSS scores ranging from 5.5 to 8.8.
The Windows Shell Security Feature Bypass (CVE-2026-21510) has a CVSS of 8.8 and can be triggered by a user opening a booby-trapped link or shortcut, though exploitation requires user interaction. The MSHTML Framework Security Feature Bypass (CVE-2026-21513) also has a CVSS of 8.8 and involves opening a malicious HTML file or crafted shortcut. Microsoft Word (CVE-2026-21514) carries a CVSS of 5.5 and requires untrusted inputs to bypass Word’s protections.
The Desktop Window Manager Elevation of Privilege (CVE-2026-21519) is rated 7.8, enabling local privilege escalation, while the Windows Remote Access Connection Manager DoS (CVE-2026-21525) has a 6.2 score and can be triggered by an unauthenticated local attacker.
A separate Windows Remote Desktop Services Elevation of Privilege (CVE-2026-21533) also scores 7.8, allowing a local authenticated attacker to obtain SYSTEM privileges; two Azure flaws with CVSS ratings of 9.8—CVE-2026-21531 affecting the Azure SDK and CVE-2026-24300 affecting Azure Front Door—are also highlighted.