February 11, 2026
By esentry Team

Microsoft February 2026 Patch Tuesday

Overview

Microsoft has released this month’s Patch Tuesday, covering security updates for 58 vulnerabilities across Windows, Office, Azure and other core products. Importantly, this cycle contains six zero-day vulnerabilities that are actively exploited in the wild, and five critical-rated flaws that could enable serious system compromise if left unpatched. The vulnerabilities are listed below:

25 Elevation of Privilege

5 Security Feature Bypass

12 Remote Code Execution

6 Information Disclosure

3 Denial of Service

7 Spoofing

Actively Exploited Vulnerability

Out of the 6 actively exploited vulnerability, 3 of them (CVE-2026-21513, CVE-2026-21510, and CVE-2026-21514), has been publicly disclosed before the patch thereby increasing the risk of exploitation in unpatched environments. They include:

CVE-2026-21510 – Windows Shell Security Feature Bypass

Attackers can trick a user into opening a crafted shortcut or link file, allowing malicious content to run without SmartScreen or other user prompts.

CVE-2026-21513 – MSHTML Security Feature Bypass

A flaw in the MSHTML engine lets attackers bypass security protections over a network, enabling exploit chains involving HTML or shortcut content.

CVE-2026-21514 – Microsoft Word Security Feature Bypass

Malicious Office documents can bypass OLE mitigations, leading to execution of unsafe content when opened by a user.

CVE-2026-21519 – Desktop Window Manager Elevation of Privilege

Local attackers could elevate privileges to SYSTEM by exploiting issues in the Desktop Window Manager.

CVE-2026-21525 – Windows Remote Access Connection Manager DoS

Null pointer dereference may allow denial-of-service conditions on targeted machines.

CVE-2026-21533 – Windows Remote Desktop Services Elevation of Privilege

Improper privilege management in RDS enables attackers to gain higher privileges locally.

Recommendations

  • Deploy patches immediately across all affected systems, starting with Windows hosts, Office installations, and Remote Desktop Services.
  • Focus on user-facing endpoints and servers that process untrusted input (e.g., email attachments, web content).
  • Confirm that systems handling Office documents and Windows Shell components are patched to mitigate the security feature bypass issues.
  • Use centralized patch management to roll updates efficiently.

Validate patch deployment success and monitor for failed installs or reboot requirements.

🔗Read and download our 2025 Annual report on our website

Tags
#
esentry
#
Microsoft Patch
#
hideandsqueak

Related articles

February 13, 2026
Windows Remote Desktop Services Zero-Day Vulnerability

by esentry Team

February 13, 2026
Critical FortiClient EMS Flaw (CVSS 9.1) Allows Unauthenticated RCE

by esentry Team

February 13, 2026
SolarWinds Web Help Desk Exploited to Host Hidden QEMU VMs

by esentry Team

Nigeria
212/214 Herbert Macaulay Way, Yaba, Lagos, Nigeria
Nigeria Address
Ghana Address
US Address
English

Company

Resources

Solutions

Privacy PolicyQuality PolicyInfosec PolicyEmail PolicyTerms of UseDisclaimerCookies
© Copyright 2026. All rights reserved