Microsoft Patch Tuesday, February 2026 Security Update Review
Microsoft’s February 2026 Patch Tuesday focuses on closing security gaps that attackers could exploit, reinforcing the importance of timely patching in enterprise environments. Here’s a quick breakdown of what you need to know.
Microsoft Patch Tuesday for February 2026
This month’s release addresses 61 vulnerabilities, including five critical and 52 important-severity vulnerabilities.
In this month’s updates, Microsoft has addressed six zero-day vulnerabilities that have been exploited in the wild.
Microsoft addressed one vulnerability in Microsoft Edge (Chromium-based) that was patched earlier this month.
Microsoft Patch Tuesday, February edition, includes updates for vulnerabilities in Microsoft Exchange Server, Microsoft Graphics Component, Windows NTLM, Windows Remote Access Connection Manager, Windows Remote Desktop, and more.
From elevation of privilege flaws to remote code execution risks, this month’s patches are essential for organizations aiming to maintain a robust security posture.
The February 2026 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 7 | Important: 6 |
| Denial of Service Vulnerability | 3 | Important: 3 |
| Elevation of Privilege Vulnerability | 25 | Critical: 3 Important: 22 |
| Information Disclosure Vulnerability | 6 | Critical: 2 Important: 4 |
| Remote Code Execution Vulnerability | 12 | Important: 12 |
| Security Feature Bypass Vulnerability | 5 | Important: 5 |
Zero-day Vulnerabilities Patched in February Patch Tuesday Edition
CVE-2026-21519: Desktop Windows Manager Elevation of Privilege Vulnerability
Desktop Window Manager is a system service in Windows (Vista and later) that enables visual effects such as transparency, window animations, and live taskbar thumbnails via GPU hardware acceleration.
A type confusion flaw in the Desktop Window Manager may allow an authenticated attacker to elevate privileges locally. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-21533: Windows Remote Desktop Services Elevation of Privilege Vulnerability
Windows Remote Desktop Services (RDS) is a Microsoft Windows Server technology that allows users to securely access virtualized desktops, applications, and resources from any device, anywhere.
An improper privilege management flaw in Windows Remote Desktop could allow an authenticated attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-21510: Windows Shell Security Feature Bypass Vulnerability
The Windows Shell is the primary interface for users to interact with the Windows operating system, encompassing visible elements like the Desktop, Taskbar, and Start Menu.
A failure in the Windows Shell protection mechanism may allow an unauthenticated attacker to bypass a network security feature. An attacker must convince a user to open a malicious link or shortcut file to exploit the vulnerability.
CVE-2026-21514: Microsoft Word Security Feature Bypass Vulnerability
An attacker must send a user a malicious Office file and convince them to open it to exploit the vulnerability.
CVE-2026-21525: Windows Remote Access Connection Manager Denial of Service Vulnerability
Windows Remote Access Connection Manager is a core Windows service that manages dial-up and Virtual Private Network connections, allowing user computers to securely connect to remote networks, corporate resources, or other devices.
A null pointer dereference in Windows Remote Access Connection Manager could allow an unauthenticated attacker to deny service locally.
CVE-2026-21513: MSHTML Framework Security Feature Bypass Vulnerability
The MSHTML Framework (also known as Trident) is a proprietary browser engine developed by Microsoft. It is a software component that renders web pages and other HTML content within applications running on Microsoft Windows.
A failure in the MSHTML Framework protection mechanism could allow an unauthenticated attacker to bypass a security feature over a network.
Critical Severity Vulnerabilities Patched in February Patch Tuesday Edition
CVE-2026-24300: Azure Front Door Elevation of Privilege Vulnerability
Microsoft mentioned in the advisory, “This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.”
CVE-2026-21522: Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability
A command injection flaw in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. Upon successful exploitation, an attacker could execute arbitrary commands within the affected ACI container’s context, thereby running code with the same privileges as the compromised container.
CVE-2026-23655: Microsoft ACI Confidential Containers Information Disclosure Vulnerability
Upon successful exploitation of the vulnerability, an attacker could disclose the secret tokens and keys.
CVE-2026-24302: Azure Arc Elevation of Privilege Vulnerability
As per the Microsoft advisory, “This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.”
CVE-2026-21532: Azure Function Information Disclosure Vulnerability
As per the Microsoft advisory, “This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.”
Other Microsoft Vulnerability Highlights
- CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing.
- CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
- CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Win32K – GRFX, Microsoft Edge for Android, Windows Notepad App, Windows GDI+, .NET and Visual Studio, Windows Kernel, Azure Local, Power BI, Windows HTTP.sys, Windows Connected Devices Platform Service, Windows Ancillary Function Driver for WinSock, Windows Subsystem for Linux, Windows LDAP – Lightweight Directory Access Protocol, Role: Windows Hyper-V, Windows Cluster Client Failover, Mailslot File System, GitHub Copilot and Visual Studio, Microsoft Office Excel, Microsoft Office Word, Windows Storage, Windows Shell, Microsoft Office Outlook, Azure DevOps Server, Internet Explorer, Github Copilot, Windows App for Mac, .NET, Desktop Window Manager, Azure Compute Gallery, Azure IoT SDK, Azure HDInsights, Azure SDK, Azure Function, Microsoft Defender for Linux, Azure Front Door (AFD), Azure Arc, and Microsoft Edge (Chromium-based).
The next Patch Tuesday is scheduled for March 10, and we will provide details and patch analysis at that time. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches’ webinar.’
Qualys Monthly Webinar Series
The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management, Detection & Response (VMDR), and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month’s high-impact vulnerabilities, including those highlighted in this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.
Join the webinar
This Month in Vulnerabilities & Patches