MICROSOFT has patched six actively exploited zero-days in its latest security update, with three of the flaws described as security feature bypass vulnerabilities that let attackers slip past built-in protections across multiple Microsoft products. Two of the remaining zero-days are elevation-of-privilege bugs that could give an attacker admin-level privileges, while the last enables denial-of-service conditions.
Microsoft issued an out-of-band patch for one of the zero-days, underscoring urgency, and five additional CVEs disclosed this week are described as bugs attackers are “more likely” to exploit. The three security feature bypass vulnerabilities are CVE-2026-21510, CVE-2026-21513 and CVE-2026-21514, with CVE-2026-21510 (CVSS 8.8), according to Microsoft, allowing bypass of Windows Shell and Windows SmartScreen and enabling code execution after user interaction.
Security researchers caution that feature bypass flaws significantly raise campaign success rates, and Microsoft notes that the affected components are widely used, including Word and MSHTML.