If January was the warm-up, February is the sprint.
Microsoft’s second Patch Tuesday of 2026 has arrived with significant urgency, addressing 59 vulnerabilities in total. While the total count is manageable, the severity is high, as it contains six zero-day vulnerabilities that are currently being exploited in the wild.
Here is the breakdown of what you need to know, what to patch first, and what might break.
The February 2026 Patch Day overview
Executive Summary
- Release Date: February 10, 2026
- Total Vulnerabilities: 59
- Critical Vulnerabilities: 5
- Zero-Days (Actively Exploited): 6 (Windows Shell, MSHTML, Word, DWM, RDP, Remote Access Connection Manager)
- Key Action Item: Administrators must prioritize workstation patching immediately due to three “one-click” security bypasses (Shell, MSHTML, Word) that allow code execution without user confirmation. Simultaneously, restrict and patch RDP servers to prevent the active SYSTEM-level escalation exploit (CVE-2026-21533).
Important Patches
- CVE-2026-21510 — Windows Shell Security Feature Bypass Vulnerability
- CVE-2026-21513 — MSHTML Platform Security Feature Bypass Vulnerability
- CVE-2026-21514 — Microsoft Office Word Security Feature Bypass Vulnerability
- CVE-2026-21519 — Desktop Window Manager Elevation of Privilege Vulnerability
- CVE-2026-21533 — Windows Remote Desktop Services Elevation of Privilege Vulnerability
Cumulative Updates
| Product, Version | KB Article | Notes |
| Windows 10, Version 22H2 | KB5075912 | ESU Only. Security updates. Fixes the VSM shutdown/restart bug introduced in January. |
| Windows 11, Version 23H2 | KB5075941 | Security updates. |
| Windows 11, Version 24H2 / 25H2 | KB5077181 | Security updates and non-security changes. Adds “Cross-Device resume” and MIDI 2.0 support. |
Deep Dive: The Critical Vulnerabilities
Microsoft confirmed that six already exploited zero-day vulnerabilities are fixed after installing the cumulative updates. Attackers may exploit the issues on unpatched systems to bypass protections and gain system-level access.
Here is the critical overview:
CVE-2026-21510 (Windows Shell Security Feature Bypass)
Allows attackers to craft malicious links or shortcut files to bypass Mark of the Web (MotW) and Windows SmartScreen prompts. As a result, malicious payloads may execute on unpatched systems without the usual “Are you sure” security warnings of SmartScreen.
CVE-2026-21513 (MSHTML Platform Security Feature Bypass):
Allows attackers to bypass security prompts using malicious HTML files, if the Internet Explorer engine (MSHTML) is used for rendering. The threat is similar to the Windows Shell issue described above, as it may be used to skip security screens to run malicious code on target systems.
CVE-2026-21514 (Microsoft Word Security Feature Bypass)
The third of the feature bypasses, this exploits an issue in Object Linking & Embedding (OLE) in Microsoft Office. Attackers may use it to run malicious Word documents and sidestep certain protections designed to block the execution of risky external content.
CVE-2026-21519 (Desktop Window Manager Elevation of Privilege)
The vulnerability is a type confusion flaw in the Desktop Windows Manager (DWM). Attackers need basic access for exploitation, but if they have, they may use the flaw to elevate their privileges to SYSTEM level, which allows them to take control of the system.
CVE-2026-21533 (Windows Remote Desktop Services Elevation of Privilege)
Describes an improper privilege management flaw in Remote Desktop Protocol. Exploitation opens another route to SYSTEM privileges on unpatched system. Especially problematic in Enterprise environments, which usually use RDP a lot.
CVE-2026-21525 (Windows Remote Access Connection Manager Denial of Service)
A null pointer dereference issue in the VPN / Dial-up manager. A local attacker, even with low privileges, may use the issue to crash the service repeatedly.
Significant Changes in the February 2026 updates
- The Virtual Secure Mode (VSM) restart loop bug is fixed.
- Cross-Device resume arrives in Windows 11. When a phone is paired with the Windows system, its recent activities are now displayed in Start. You can continue those. Requires the latest Link to Windows app.
- Native MIDI 2.0 support. The new protocol is now supported, which creators and audio engineers may take advantage of.
- The Secure Boot change is entering the targeting phase. In this phase, Windows can determine whether the device’s UEFI is compatible with the upcoming certificate rotation. If it is, it will be queued to receive the actual update in the coming months. No user action required.
First Steps: Your Patch Tuesday Strategy
- Patch the six zero-day vulnerabilities immediately. Start with user workstations.
- If you paused updates in January because of the VSM restart loop bug, deploy this month’s cumulative update to get it fixed.