Microsoft’s February 2026 Patch Tuesday: Addressing 54 Vulnerabilities, Including Six Zero-Days
On February 10, 2026, Microsoft released its latest Patch Tuesday updates, addressing 54 security vulnerabilities across a range of products, including Windows, Office, Azure, and various developer tools. Notably, this update includes fixes for six zero-day vulnerabilities that had been publicly disclosed or actively exploited prior to the release.
Breakdown of Vulnerabilities:
– Remote Code Execution (RCE): 11 vulnerabilities
– Denial of Service (DoS): 3 vulnerabilities
– Elevation of Privilege (EoP): 23 vulnerabilities
– Information Disclosure: 5 vulnerabilities
– Security Feature Bypass: 5 vulnerabilities
– Spoofing: 7 vulnerabilities
Zero-Day Vulnerabilities:
The six zero-day vulnerabilities addressed in this update are:
1. CVE-2026-21514: A security feature bypass in Microsoft Office Word.
2. CVE-2026-21513: A security feature bypass in the MSHTML Framework.
3. CVE-2026-21510: A security feature bypass in Windows Shell.
4. CVE-2026-21533: An elevation of privilege vulnerability in Windows Remote Desktop Services.
5. CVE-2026-21525: A denial of service vulnerability in Windows Remote Access Connection Manager.
6. CVE-2026-21519: An elevation of privilege vulnerability in the Desktop Window Manager.
These vulnerabilities could potentially be exploited in combination, allowing attackers to bypass security protections, execute arbitrary code, or escalate privileges within affected systems.
Critical Vulnerabilities:
Among the vulnerabilities addressed, two are classified as Critical and warrant immediate attention:
1. CVE-2026-23655: An information disclosure vulnerability in Azure Compute Gallery’s ACI Confidential Containers, which could lead to the leakage of sensitive data from confidential workloads.
2. CVE-2026-21522: An elevation of privilege vulnerability in Azure Compute Gallery’s ACI Confidential Containers, enabling attackers to escalate privileges within container environments.
These vulnerabilities underscore the importance of securing cloud-native confidential computing environments.
Additional Notable Vulnerabilities:
– CVE-2026-21537: An RCE vulnerability in Microsoft Defender for Endpoint Linux Extension.
– CVE-2026-21531: An RCE vulnerability in Azure SDK for Python.
– CVE-2026-21523: An RCE vulnerability affecting GitHub Copilot and Visual Studio Code.
– CVE-2026-21516: An RCE vulnerability in GitHub Copilot for JetBrains.
– CVE-2026-21256: An RCE vulnerability in GitHub Copilot and Visual Studio.
These vulnerabilities highlight the risks associated with cloud and endpoint tools, emphasizing the need for prompt patching and vigilant security practices.
Office and Windows Vulnerabilities:
Several vulnerabilities affecting Microsoft Office and Windows components were also addressed:
– Office:
– CVE-2026-21527 & CVE-2026-21260: Spoofing vulnerabilities in Outlook.
– CVE-2026-21261, CVE-2026-21259, & CVE-2026-21258: Information disclosure and elevation of privilege vulnerabilities in Excel.
– CVE-2026-21514: A security feature bypass in Word.
– Windows:
– CVE-2026-21250: An elevation of privilege vulnerability in HTTP.sys.
– CVE-2026-21255: A security feature bypass in Hyper-V.
– CVE-2026-21508: An elevation of privilege vulnerability in Windows Storage.
Azure-Specific Vulnerabilities:
The update also addresses vulnerabilities specific to Azure services:
– CVE-2026-21529: A spoofing vulnerability in HDInsight.
– CVE-2026-21528: An information disclosure vulnerability in IoT Explorer SDK.
Recommendations:
Given the breadth and severity of the vulnerabilities addressed in this update, it is imperative for organizations and individual users to:
1. Apply Updates Promptly: Ensure that all systems are updated with the latest patches to mitigate potential exploitation risks.
2. Review Security Configurations: Assess and adjust security settings to align with best practices, especially in cloud and container environments.
3. Monitor Systems: Implement continuous monitoring to detect any unusual activities that may indicate exploitation attempts.
4. Educate Users: Provide training on recognizing phishing attempts and other common attack vectors to reduce the risk of user-initiated compromises.
By taking these proactive steps, organizations can enhance their security posture and protect against potential threats arising from these vulnerabilities.
