6 Microsoft Zero-Days Exploited Before February Patch Tuesday 2026

Microsoft’s February 2026 Patch Tuesday addressed a surprisingly high number of actively exploited vulnerabilities – six zero-days, to be exact. This represents a significant increase compared to the previous month, where only one Windows vulnerability was under attack before the January security updates were released. The sheer volume of zero-day fixes underscores the escalating intensity of threats targeting the Windows ecosystem.

The six zero-days patched this month span a range of vulnerabilities, including security feature bypasses, elevation of privilege flaws, and denial of service issues. Three of these vulnerabilities were already publicly disclosed, meaning proof-of-concept exploits may already be circulating, increasing the risk of widespread exploitation. Microsoft addressed a total of 58 flaws with this update, including five categorized as “Critical.”

Windows Shell Bypass Leads the Charge

One of the most concerning vulnerabilities is a security feature bypass in Windows Shell (CVE-2026-21510). This flaw, assigned a CVSS rating of 8.8, allows attackers to bypass Windows SmartScreen and Shell security prompts. The attack vector requires tricking a user into opening a malicious link or shortcut file, but as Dustin Childs of Trend Micro’s Zero Day Initiative notes, “this bug is listed as a security feature bypass, but it could also be classified as code execution… Definitely test and deploy this fix quickly.” Essentially, the bypass removes a critical checkpoint in Windows security, allowing code execution without user consent.

Internet Explorer and Word Also Targeted

Another publicly disclosed vulnerability affects Internet Explorer (CVE-2026-21513), receiving a CVSS score of 8.8. Exploitation, like the Windows Shell vulnerability, relies on social engineering – convincing a user to open a malicious HTML file or shortcut. While Internet Explorer support officially ended in 2022, any remaining users are at significant risk.

Microsoft Word is also affected by a security feature bypass (CVE-2026-21514), with a CVSS rating of 7.8. This vulnerability allows attackers to gain access to Component Object Model (COM) and Object Linking and Embedding (OLE) controls through a malicious Office file, potentially leading to remote code execution. The Preview Pane, however, is not an attack vector.

Elevation of Privilege and Denial of Service

Beyond the bypass vulnerabilities, Microsoft addressed several elevation of privilege flaws. A vulnerability in the Desktop Window Manager (CVE-2026-21519) allows attackers to gain SYSTEM privileges. Childs pointed out that a similar vulnerability in the Desktop Window Manager was exploited in the previous month, suggesting the initial patch may not have fully resolved the issue.

A denial of service vulnerability in Windows Remote Access Connection Manager (CVE-2026-21525) and an elevation of privilege vulnerability in Windows Remote Desktop Services (CVE-2026-21533) were also patched. The Remote Desktop Services flaw, with a CVSS rating of 7.8, is due to improper privilege management.

Secure Boot Certificate Updates Begin

Alongside the security fixes, Microsoft has begun rolling out updated Secure Boot certificates. These updates are crucial as the original 2011 certificates are set to expire in late June 2026. The rollout is being phased to ensure compatibility and stability, with certificates being delivered to devices that demonstrate successful update signals. This process aims to prevent disruptions and maintain system integrity during the certificate transition.

A Busy Patch Tuesday

This February Patch Tuesday represents a significant workload for IT administrators. The high number of zero-day vulnerabilities, particularly those already publicly disclosed, demands immediate attention. While Microsoft has not provided details on who is exploiting these flaws or the extent of the attacks, the urgency is clear. The combination of actively exploited vulnerabilities and expiring certificates makes this a critical update cycle for Windows users and organizations.

Beyond the core security fixes, cumulative updates for Windows 11 (KB5077181 & KB5075941) and Windows 10 (KB5075912) are also available, addressing non-security related improvements and refinements.