Microsoft has released its February 2026 Patch Tuesday with fixes for 58 vulnerabilities, including 6 zero-days that are already being actively exploited by hackers. This makes it one of the most critical updates of the year, and experts recommend installing it immediately.
Three of the zero-day vulnerabilities were publicly disclosed before the patch, meaning attackers have had time to develop exploits. If you use Windows, you need to update now.
The 6 zero-day vulnerabilities explained
1. CVE-2026-21510: Windows Shell protection bypass
This is arguably the most dangerous. An attacker can send a malicious link that, with a single click, executes code without showing any warning or consent dialog. It completely bypasses Windows Shell security protections.
Risk: Very high. Can be exploited via email, messages, or malicious websites.
2. CVE-2026-21513: MSHTML/Internet Explorer attack
Affects the MSHTML/Trident engine from Internet Explorer. Attackers can craft malicious HTML files or shortcuts (.lnk) that manipulate browser and Windows Shell handling. Although Internet Explorer is officially retired, its engine remains present in Windows.
3. CVE-2026-21514: malicious Office files
A specially crafted Office file can bypass OLE mitigations in Microsoft 365. This means opening a seemingly harmless Word or Excel document could compromise your system.
4. CVE-2026-21519: privilege escalation via DWM
A Desktop Window Manager vulnerability that allows attackers to escalate privileges to SYSTEM on an already compromised host. Combined with other vulnerabilities, it allows full system takeover.
5. CVE-2026-21533: Remote Desktop escalation
Discovered by CrowdStrike researchers, this Windows Remote Desktop Services flaw allows an attacker to modify service configuration keys to add themselves to the Administrators group.
6. CVE-2026-21525: Remote Access Connection Manager crash
Allows an unprivileged user to crash the RasMan service, affecting VPN and remote access connections.
How to update Windows immediately
- Open Settings (Win + I)
- Go to Windows Update
- Click Check for updates
- Install all available updates
- Restart your computer (required to apply security patches)
If you use Windows in an enterprise environment, contact your IT department. This patch should be deployed with emergency priority.
What else is in this Patch Tuesday
Beyond the 6 zero-days, Microsoft fixed:
- 5 critical vulnerabilities (3 privilege escalation, 2 information disclosure)
- 47 additional vulnerabilities of important severity
- Patches for Windows, Office, Edge, .NET, Visual Studio, and Azure
Context: why February 2026 is alarming
With 6 actively exploited zero-days, February 2026 is not a typical Patch Tuesday. Experts from Rapid7, Tenable, and CrowdStrike agree this is an emergency-level event requiring accelerated deployment.
Last month (January 2026) Microsoft fixed "only" 3 zero-days. The jump to 6 suggests a concerning trend in the sophistication and frequency of attacks targeting Windows.
