MICROSOFT has released its security update for February 2026, addressing 61 vulnerabilities across its ecosystem, with six zero-day vulnerabilities currently being exploited in the wild and a critical flaw in the Windows Desktop Window Manager taking centre stage, according to Microsoft.
The update fixes five critical and 52 important-severity flaws, covering components from Microsoft Exchange Server to core Windows elements, and highlights CVE-2026-21519 as the most prominent zero-day being exploited to gain Elevation of Privilege.
Beyond the DWM flaw, the patch list includes CVE-2026-21525 (Remote Access Crash), CVE-2026-21514 (Word security bypass), CVE-2026-21513 (Browser engine flaw in MSHTML), CVE-2026-21510 (Windows Shell security feature bypass) and CVE-2026-21533 (Windows Remote Desktop Services elevation of privilege). IT teams are advised to prioritise the DWM patch to lock down endpoints given the active exploitation, with Elevation of Privilege bugs dominating the release.