Microsoft February 2026 Patch Tuesday: 6 Zero-Days Under Active Attack
February 2026 has turned out to be one of the most critical months for Windows security. Microsoft has released updates for 58 vulnerabilities, but the headline is the six actively exploited zero-days that were already being weaponized by hackers before a fix was available.
From Windows Shell bypasses to Microsoft Word exploits, this month's Patch Tuesday is a "must-update" for every user and enterprise.
The "Big Six": Actively Exploited Zero-Days
This month saw a significant spike in zero-day activity. Here are the most dangerous vulnerabilities you need to know about:
| CVE ID | Component | Impact |
|---|---|---|
| CVE-2026-21510 | Windows Shell | SmartScreen Bypass: Attackers use malicious .LNK files to run code without any warning. |
| CVE-2026-21514 | Microsoft Word | Security Bypass: Bypasses protections against malicious embedded COM/OLE objects in docs. |
| CVE-2026-21513 | MSHTML / IE | Legacy Bypass: Even though IE is retired, its engine (MSHTML) is being used to bypass security prompts. |
| CVE-2026-21519 | Desktop Window Manager | Privilege Escalation: Grants attackers SYSTEM-level access to the machine. |
| CVE-2026-21533 | Remote Desktop (RDS) | Privilege Escalation: Allows local attackers to gain full administrative control. |
| CVE-2026-21525 | Windows Remote Access | Denial of Service (DoS): Can knock critical networking services offline instantly. |
CISA Sets Urgent Deadline: March 3, 2026
The Cybersecurity and Infrastructure Security Agency (CISA) has officially added all six zero-days to its "Known Exploited Vulnerabilities" catalog.
Federal agencies and large enterprises have until March 3, 2026, to apply these patches. This short window highlights just how dangerous these flaws are.
Don't Forget Adobe: 44 Vulnerabilities Patched
It's not just Microsoft. Adobe also released a massive update addressing 44 unique vulnerabilities across its creative suite:
- After Effects: 15 bugs fixed (13 are Critical).
- Substance 3D Stager: 5 Critical bugs that could lead to full code execution.
- Adobe Audition & InDesign: Multiple critical memory corruption fixes.
If you use these tools for video or design work, update your Creative Cloud apps immediately.
Critical Azure Vulnerabilities
Cloud security also took a hit this month. Microsoft documented several "Critical" rated bugs in Azure components:
- Azure SDK for Python (CVE-2026-21531): Has a near-perfect CVSS score of 9.8/10.
- Azure Front Door: A critical Elevation of Privilege flaw that Microsoft has now patched at the infrastructure level.
Summary: What You Should Do Now
- Update Windows: Go to
Settings > Windows Updateand install the February 2026 Cumulative Update. - Update Office: Ensure Microsoft Word and Outlook are fully patched.
- Be Vigilant: Do not click on unknown
.LNKshortcut files or download unexpected Word documents from emails. - Check Secure Boot: This update also starts the rollout of new Secure Boot certificates (expiring in 2026).
