Microsoft February 2026 Patch Tuesday – 59 Flaws Fixed, 6 Actively Exploited

on

 

Microsoft Feb 2026 CVE

Microsoft has rolled out security updates addressing 59 vulnerabilities across its software portfolio. Of these, six zero-days are confirmed as actively exploited in the wild and have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by March 3, 2026.

Breakdown of Vulnerabilities

  • Critical: 5

  • Important: 52

  • Moderate: 2

Categories:

  • Privilege Escalation – 25

  • Remote Code Execution – 12

  • Spoofing – 7

  • Information Disclosure – 6

  • Security Feature Bypass – 5

  • Denial of Service – 3

  • Cross-Site Scripting – 1

Actively Exploited Zero-Days

  • CVE-2026-21510 (CVSS 8.8): Windows Shell security feature bypass

  • CVE-2026-21513 (CVSS 8.8): MSHTML Framework bypass via malicious HTML files

  • CVE-2026-21514 (CVSS 7.8): Microsoft Word security decision flaw

  • CVE-2026-21519 (CVSS 7.8): Desktop Window Manager type confusion → local privilege escalation

  • CVE-2026-21525 (CVSS 6.2): Remote Access Connection Manager null pointer dereference → denial of service

  • CVE-2026-21533 (CVSS 7.8): Remote Desktop improper privilege management → SYSTEM-level escalation

Key Highlights

  • Discovery: Microsoft Security teams and Google Threat Intelligence Group reported the first three flaws.

  • Impact: Exploitation can lead to SYSTEM-level access, disabling security tools, malware deployment, or domain compromise.

  • Secure Boot Update: Microsoft is replacing 2011 Secure Boot certificates before they expire in June 2026. Devices not updated will enter a degraded security state.

  • Future Protections:

    • Windows Baseline Security Mode → runtime integrity safeguards enabled by default.

    • User Transparency & Consent → clearer prompts when apps access sensitive resources, modeled after Apple’s TCC framework.

Why It Matters

These updates are part of Microsoft’s Secure Future Initiative and Windows Resiliency Initiative, aiming to harden Windows against evolving threats. Organizations should prioritize patching, especially the six zero-days, to prevent privilege escalation and bypass attacks already being leveraged in the wild.

Comments

Post a Comment