Stay ahead of critical vulnerabilities with our breakdown of this month's Microsoft security patches.
Release Date: Tuesday, February 10, 2026
Release Time: 10:00 AM PST / 1:00 PM EST / 6:00 PM UTC
Status: Released
Last Updated: February 11, 2026
Microsoft's February 2026 Patch Tuesday has released security updates for 58 vulnerabilities, including an unprecedented 6 actively exploited zero-day vulnerabilities and 3 additional publicly disclosed zero-days. This marks one of the most critical Patch Tuesday releases in recent history, requiring immediate attention from IT administrators worldwide.
CRITICAL ALERT - Immediate Action Required:
Total Vulnerabilities Fixed: 58 flaws
Actively Exploited Zero-Days: 6 vulnerabilities being used in real-world attacks
Publicly Disclosed Zero-Days: 3 additional vulnerabilities (within the 6 exploited)
Critical Severity: 5 vulnerabilities (3 Elevation of Privilege, 2 Information Disclosure)
Key Update Packages: KB5077181 (Windows 11 24H2/25H2), KB5075941 (Windows 11 23H2)
Build Numbers: 26100.7840 (24H2) | 26200.7840 (25H2) | 22631.6649 (23H2)
The 58 vulnerabilities addressed in February 2026 Patch Tuesday are categorized as follows:
Elevation of Privilege: Multiple vulnerabilities (including 3 Critical)
Remote Code Execution: Multiple vulnerabilities
Information Disclosure: Multiple vulnerabilities (including 2 Critical)
Security Feature Bypass: Multiple vulnerabilities (several actively exploited)
Denial of Service: Multiple vulnerabilities
Spoofing: Multiple vulnerabilities
Note: This count excludes 3 Microsoft Edge vulnerabilities fixed earlier in February.
February 2026 marks an alarming milestone with six zero-day vulnerabilities actively exploited in the wild. Three of these were publicly disclosed before patches were available. All require immediate patching.
Status: Actively Exploited | Publicly Disclosed
Attack Vector: An attacker must convince a user to open a malicious link or shortcut file
Impact: Bypass Windows SmartScreen and Windows Shell security prompts through improper handling in Windows Shell components. This allows attacker-controlled content to execute without user warning or consent.
Why It Matters: This vulnerability likely allows attackers to bypass Mark of the Web (MoTW) security warnings, a critical Windows security feature that protects users from malicious downloads.
Discovered By: Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, Google Threat Intelligence Group, and an anonymous researcher
Status: Actively Exploited | Publicly Disclosed
Attack Vector: Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network
Impact: Attackers can bypass security features in the MSHTML rendering engine, which is still used by various Windows components despite Internet Explorer's deprecation.
Current Threat: Active exploitation confirmed, but Microsoft has not released details on how this is being exploited in the wild.
Discovered By: Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, and Google Threat Intelligence Group
Status: Actively Exploited | Publicly Disclosed
Attack Vector: An attacker must send a user a malicious Office file and convince them to open it
Impact: Bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls
Important Note: This vulnerability cannot be exploited through the Office Preview Pane
Affected Products:
Microsoft Office 2016
Microsoft Office 2019
Microsoft Office LTSC 2021
Microsoft Office LTSC 2024
Microsoft 365 Apps for Enterprise
Discovered By: Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, Google Threat Intelligence Group, and an anonymous researcher
Campaign Analysis: It is currently unclear if CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 were exploited in the same attack campaign, as Microsoft has not released detailed exploitation information.
Status: Actively Exploited
Impact: An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
Why It's Critical: SYSTEM-level access is the highest privilege level in Windows, giving attackers complete control over the compromised system.
Exploitation Details: No details have been shared on how this vulnerability is being exploited in the wild.
Discovered By: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC)
Status: Actively Exploited
Attack Vector: Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally
Impact: Attackers can crash or freeze the Windows Remote Access Connection Manager service, disrupting VPN and remote access connectivity.
Discovered By: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC)
Status: Actively Exploited
Microsoft has confirmed a sixth actively exploited zero-day vulnerability. Details are being compiled from Microsoft Security Response Center advisories.
In addition to the actively exploited zero-days, Microsoft has identified 5 Critical vulnerabilities in this release:
3 Elevation of Privilege vulnerabilities - Allow attackers to gain higher system privileges
2 Information Disclosure vulnerabilities - Allow unauthorized access to sensitive data
While these are not currently exploited, their Critical severity rating means they should be prioritized in your deployment schedule immediately following the zero-day patches.
February's release comes on the heels of an exceptionally difficult January 2026:
114 vulnerabilities patched – One of the largest January releases in recent history
8 critical vulnerabilities including remote code execution (RCE) and elevation of privilege (EoP) flaws
3 zero-day vulnerabilities (1 actively exploited: CVE-2026-20805 Desktop Window Manager)
Added to CISA's Known Exploited Vulnerabilities catalog
U.S. federal agencies required to patch by February 3, 2026
January 2026 required three emergency patches between regular Patch Tuesdays, all of which are consolidated into February's update:
Fixed credential prompt failures during Remote Desktop Protocol (RDP) connections
Addressed remote appliance connection issues
Affected: Windows 10, 11, Server 2019, 2022, 2025
Fixed Microsoft Outlook Classic issues with .pst files on cloud storage (OneDrive)
Major impact on users storing email in cloud
Applied to all supported Windows versions
CVE-2026-21509: Microsoft Office Security Feature Bypass (actively exploited)
Attack vector: Malicious Office files bypassing OLE mitigations
CISA deadline for federal agencies: February 16, 2026
Affects Office 2016, 2019, LTSC 2021, LTSC 2024, Microsoft 365 Apps for Enterprise
Important: All three January OOB fixes are included in February's cumulative update.
Despite the focus on critical security fixes, February brings several significant quality-of-life improvements to Windows 11:
What Changed: Previously, enabling Smart App Control permanently locked the setting—disabling it required a complete Windows reinstallation.
What's New: Users can now toggle Smart App Control on/off through Windows Security settings without reinstalling Windows.
How to Access:
Open Windows Security
Navigate to App & Browser Control
Select Smart App Control
Toggle setting as needed
Why It Matters: This flexibility encourages organizations to test this security feature without fear of permanent commitment.
What's New: Enhanced Sign-in Security now works with external fingerprint readers and third-party biometric devices, not just built-in laptop sensors.
Benefit: Organizations can deploy desktop PCs with external biometric readers while leveraging Windows 11's strongest authentication protections.
Security Impact: Extends Windows Hello's resistance to credential theft and phishing attacks to a broader range of hardware configurations.
What's New: Resume Android apps and activities directly on Windows 11 desktop using the Phone Link feature.
Examples:
Continue playing Spotify from your phone on your PC
Pick up browsing sessions from mobile Chrome
Resume mobile Office apps on desktop
Availability: Rolling out to Windows 11 versions 24H2 and 25H2 via Controlled Feature Rollout (CFR).
New Setup Wizard: Streamlined onboarding for Voice Access
Enhanced Controls: Customize wait times before voice commands execute
Better Recognition: Improved accuracy and reliability for hands-free input
Accessibility Focus: More granular control over Narrator announcements
Windows MIDI Services 2.0: Major upgrade for musicians and audio professionals
File Explorer Performance: Faster folder navigation and reduced lag
Settings App Device Info Card: Quick hardware specifications on Settings home page
Gaming Fixes: Resolved device eligibility detection for full-screen gaming
Wi-Fi Fixes: Resolved WPA3-Personal connection failures from January update
Secure Boot Certificate Updates: Phased rollout to prevent certificate expiration issues
KB Number: KB5077181
Build Numbers:
Windows 11 24H2: Build 26100.7840
Windows 11 25H2: Build 26200.7840
KB Number: KB5075941
Build Number: 22631.6649
KB Number: KB5075912
Build Number: 19045.6937
⚠️ Windows 10 ESU Reminder: Extended Security Updates support ends October 2026. Organizations should accelerate migration planning to Windows 11.
With 6 actively exploited zero-day vulnerabilities, February 2026 is not a typical Patch Tuesday. This is an emergency-level security event requiring accelerated deployment timelines.
Key Risk Factors:
Active Exploitation: Attackers are already using these vulnerabilities in real-world campaigns
Public Disclosure: 3 of the 6 zero-days were publicly disclosed, increasing attacker awareness
Broad Impact: Affects Windows OS, Office applications, and critical system components
SYSTEM-Level Access: At least one vulnerability grants complete system control
Security Feature Bypass: Multiple vulnerabilities disable critical Windows protections
Timeline: 24-36 hours maximum
Actions:
Download updates to staging environment immediately at 10 AM PST
Rapid compatibility testing on critical applications only
Focus on validating zero-day fixes don't break production
Document any blockers immediately
Decision point by end of February 11: Go/No-Go for production deployment
Target Systems: Test lab only (compressed timeline)
Timeline: 48 hours after release
Priority Targets:
Internet-facing systems - Highest risk of exploitation
Systems running Office applications - CVE-2026-21514 targets Word
VPN/Remote access infrastructure - CVE-2026-21525 targets Remote Access Connection Manager
Systems with elevated privileges - CVE-2026-21519 grants SYSTEM access
Executive/high-value targets - Often targeted in zero-day campaigns
Deployment Strategy: 30-50% of critical infrastructure
Timeline: Week 1 completion
Actions:
Deploy to remaining production systems (75-90%)
Focus on all Office users (Word vulnerability)
Update all Windows 11 and Windows 10 ESU endpoints
Monitor for exploitation attempts in logs
Maintain rapid response capability
Target: 90% deployment by end of Week 1
Timeline: Full coverage by end of Week 2
Actions:
Deploy to remaining specialized systems
Address any deployment failures
Complete 100% organizational coverage
Document lessons learned
Prepare incident response if exploitation detected
Target: 100% deployment completion
✅ Before Deploying (Complete Immediately):
Infrastructure:
Verify all backups are current and restorable
Test rollback procedures
Ensure WSUS/SCCM/Intune is operational
Verify network capacity for rapid deployment
Establish 24/7 monitoring for deployment week
Team Coordination:
Activate emergency patch response team
Schedule emergency maintenance windows
Notify all stakeholders of zero-day situation
Establish war room/command center
Brief executive leadership on risk
Security Monitoring:
Enable enhanced logging on critical systems
Monitor for indicators of zero-day exploitation
Review security alerts from January-February
Coordinate with SOC/security team
Establish incident response procedures
Prioritize testing these specific areas affected by actively exploited vulnerabilities:
Microsoft Office/Word: Test document opening, editing, saving (CVE-2026-21514)
File Downloads: Verify SmartScreen warnings appear (CVE-2026-21510)
Web Content: Test MSHTML-based applications (CVE-2026-21513)
Remote Access: Verify VPN/RDP connectivity (CVE-2026-21525)
Desktop Window Manager: Check for system stability (CVE-2026-21519)
Smart App Control: Test new toggle functionality if deployed
Windows Hello: Verify external fingerprint reader support
⚠️ Known Issues (As of February 11, 2026):
Controlled Feature Rollout: New features may not appear immediately on all devices
Impact: Smart App Control toggle, Cross-Device Resume may be delayed
Workaround: Wait for natural rollout (features not critical for security)
Secure Boot Certificate Deployment: Phased rollout may delay certificate updates
Impact: Some systems may not receive new certificates immediately
Mitigation: Microsoft monitors device health before deploying
Monitor Official Sources:
Adobe released security updates for:
Check the Adobe Security Bulletin for full details.
Released security updates for a critical RCE flaw in:
CISA issued a new directive requiring federal agencies to remove network edge devices that have reached end of support.
Security updates released for:
Updates released for:
February 2026 security bulletin released with no security fixes (maintenance release only).
Version 145: Expected around February 10-11
Version 148: Expected around February 11-12
Important Planning Alert: NTLM Phase-Out Begins
Microsoft continues its three-phase plan to deprecate NTLM authentication:
Phase 1 (Current - Available Now):
Phase 2 (Coming Soon - Next Major Update):
Phase 3 (Future - Next Major Server Release):
Recommended Actions:
Below is the complete list of vulnerabilities addressed in February 2026. For full technical details, consult the Microsoft Security Response Center.
| CVE ID | Title | Severity | Status |
|---|---|---|---|
| CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability | Important | Actively Exploited | Publicly Disclosed |
| CVE-2026-21513 | MSHTML Framework Security Feature Bypass Vulnerability | Important | Actively Exploited | Publicly Disclosed |
| CVE-2026-21514 | Microsoft Word Security Feature Bypass Vulnerability | Important | Actively Exploited | Publicly Disclosed |
| CVE-2026-21519 | Desktop Window Manager Elevation of Privilege Vulnerability | Important | Actively Exploited |
| CVE-2026-21525 | Windows Remote Access Connection Manager Denial of Service Vulnerability | Important | Actively Exploited |
| CVE-2026-XXXXX | Sixth Zero-Day (Details Pending from MSRC) | TBD | Actively Exploited |
| Category | Count | Description |
|---|---|---|
| Elevation of Privilege | 3 | Allow attackers to gain higher system privileges |
| Information Disclosure | 2 | Allow unauthorized access to sensitive data |
Full CVE details with specific vulnerability IDs will be available from the Microsoft Security Update Guide.
The remaining vulnerabilities (not actively exploited but still important) include:
| CVE ID | Title | Original Disclosure |
|---|---|---|
| CVE-2026-1862 | Chromium: Type Confusion in V8 | 2026-02-06 |
| CVE-2026-1861 | Chromium: Heap buffer overflow in libvpx | 2026-02-05 |
| CVE-2026-21532 | Azure Function Information Disclosure Vulnerability | 2026-02-05 |
| CVE-2026-24302 | Azure Arc Elevation of Privilege Vulnerability | 2026-02-05 |
| CVE-2026-0391 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability | 2026-02-05 |
| CVE-2026-24300 | Azure Front Door Elevation of Privilege Vulnerability | 2026-02-05 |
| CVE-2026-1504 | Chromium: Inappropriate implementation in Background Fetch API | 2026-01-30 |
| CVE-2026-20960 | PowerApps Desktop Client Remote Code Execution Vulnerability | 2026-01-29 |
| CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability (January Zero-Day) | 2026-01-27 |
| CVE-2026-21509 | Microsoft Office Security Feature Bypass Vulnerability (January OOB Zero-Day) | 2026-01-26 |
| CVE-2026-1220 | Chromium: Race in V8 | 2026-01-23 |
| CVE-2026-21521 | Word Copilot Information Disclosure Vulnerability | 2026-01-22 |
| CVE-2026-24307 | M365 Copilot Information Disclosure Vulnerability | 2026-01-22 |
| CVE-2026-21227 | Azure Logic Apps Elevation of Privilege Vulnerability | 2026-01-22 |
| CVE-2026-24305 | Azure Entra ID Elevation of Privilege Vulnerability | 2026-01-22 |
Timeline: First 24-48 hours after release
Actions:
Target Systems: Non-production test environment only
Timeline: 48-72 hours after successful testing
Actions:
Target Systems:
Timeline: Week 1 completion
Actions:
Target Systems:
Timeline: Week 2 completion
Actions:
Target Systems:
Before Patch Tuesday arrives, ensure you have:
Patches are essential software updates written to fix bugs and security vulnerabilities. Keeping applications and operating systems updated prevents attackers from exploiting known security flaws to access business-critical data and systems.
IT teams should approach February's Patch Tuesday with a balance of urgency and caution, moving quickly on critical security fixes while maintaining robust testing procedures to catch any potential issues before they impact production systems.
Regular patching is a cornerstone of good cybersecurity hygiene. While it requires planning and resources, the alternative of leaving systems vulnerable to known exploits poses far greater risks to organizations.
Once patches are deployed:
Microsoft Security Response Center (MSRC)
Microsoft Update Catalog
Windows Release Health Dashboard
Microsoft Security Blog
Microsoft's February 2026 Patch Tuesday represents one of the most critical security events in recent Windows history. With 6 actively exploited zero-day vulnerabilities affecting core Windows components, Office applications, and system security features, organizations face an immediate and serious threat.
The coordination between Microsoft's Threat Intelligence Center, Security Response Center, Office Security Team, and Google's Threat Intelligence Group in discovering these vulnerabilities suggests sophisticated attack campaigns may be underway. The fact that 3 of these zero-days were publicly disclosed before patches were available further increases the urgency.
This is not a time for business-as-usual patch management. IT teams must activate emergency response procedures, accelerate deployment timelines, and treat this as the critical security event it is.
Key Takeaways - Emergency Response:
Deploy within 72 hours – 6 zero-days require emergency response timelines
Prioritize Office environments – CVE-2026-21514 targets Word users
Monitor for compromise indicators – Check for signs of exploitation since January
Brief executive leadership – This is a board-level security event
Maintain incident response readiness – Be prepared to respond if exploitation detected
Document everything – Track deployment and any anomalies
Accelerate Windows 11 migration – Windows 10 ESU ends October 2026
The silver lining is that Microsoft has now released patches for all 6 actively exploited vulnerabilities. Organizations that deploy rapidly can close these attack vectors before threat actors expand their campaigns.
Stay vigilant, deploy urgently but carefully, and keep your security teams on high alert. This is one Patch Tuesday that demands your immediate and full attention.
