Today’s Patch Tuesday Alert addresses Microsoft’s February 2026 Security Updates. The FIRE team is actively working on coverage for these vulnerabilities and expect to ship that coverage as soon as it is completed.
In-The-Wild & Disclosed CVEs
A type confusion vulnerability in the Desktop Window Manager could allow an authenticated attacker to elevate their permissions to SYSTEM. Microsoft has reported this vulnerability as Exploitation Detected.
Improper privilege management in Windows Remote Desktop Services could allow an authenticated attacker to elevate their permissions to SYSTEM. Microsoft has reported this vulnerability as Exploitation Detected.
One of three bypasses this month, this vulnerability in the MSHTML Framework could allow a malicious HTML or shortcut file to bypass prompts when executing a file, leading to potential code execution. Microsoft has reported this vulnerability as Exploitation Detected.
The second of three bypasses this month, this vulnerability comes from improper handling within Windows Shell components. A successful attack would allow an attacker to bypass Windows SmartScreen and Windows Shell security prompts, meaning that malicious content could be executed without a user knowing. Microsoft has reported this vulnerability as Exploitation Detected.
The third of three bypasses this month, this Microsoft Word vulnerability could allow a malicious Office file to bypass the OLE mitigations that protect users from vulnerable COM/OLE controls. Microsoft has reported this vulnerability as Exploitation Detected.
A null pointer dereference in Windows Remote Access Connection Manager could allow for a local denial of service. Microsoft has reported this vulnerability as Exploitation Detected.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted
| Tag | CVE Count | CVEs |
| Desktop Window Manager | 1 | CVE-2026-21519 |
| GitHub Copilot and Visual Studio Code | 1 | CVE-2026-21518 |
| Windows App for Mac | 1 | CVE-2026-21517 |
| Azure DevOps Server | 1 | CVE-2026-21512 |
| Microsoft Office Excel | 3 | CVE-2026-21259, CVE-2026-21258, CVE-2026-21261 |
| Microsoft Office Outlook | 2 | CVE-2026-21260, CVE-2026-21511 |
| Role: Windows Hyper-V | 4 | CVE-2026-21248, CVE-2026-21247, CVE-2026-21255, CVE-2026-21244 |
| Microsoft Graphics Component | 2 | CVE-2026-21246, CVE-2026-21235 |
| Windows Subsystem for Linux | 2 | CVE-2026-21242, CVE-2026-21237 |
| Windows Connected Devices Platform Service | 1 | CVE-2026-21234 |
| Windows Ancillary Function Driver for WinSock | 3 | CVE-2026-21236, CVE-2026-21241, CVE-2026-21238 |
| .NET | 1 | CVE-2026-21218 |
| Azure Compute Gallery | 2 | CVE-2026-23655, CVE-2026-21522 |
| GitHub Copilot and Visual Studio | 3 | CVE-2026-21523, CVE-2026-21257, CVE-2026-21256 |
| Power BI | 1 | CVE-2026-21229 |
| Windows Remote Desktop | 1 | CVE-2026-21533 |
| MSHTML Framework | 1 | CVE-2026-21513 |
| Microsoft Edge for Android | 1 | CVE-2026-0391 |
| Microsoft Edge (Chromium-based) | 2 | CVE-2026-1861, CVE-2026-1862 |
| Azure Front Door (AFD) | 1 | CVE-2026-24300 |
| Azure Arc | 1 | CVE-2026-24302 |
| Azure Function | 1 | CVE-2026-21532 |
| Microsoft Exchange Server | 1 | CVE-2026-21527 |
| Azure IoT SDK | 1 | CVE-2026-21528 |
| Azure SDK | 1 | CVE-2026-21531 |
| Windows Shell | 1 | CVE-2026-21510 |
| Microsoft Defender for Linux | 1 | CVE-2026-21537 |
| Azure HDInsights | 1 | CVE-2026-21529 |
| Microsoft Office Word | 1 | CVE-2026-21514 |
| Windows Remote Access Connection Manager | 1 | CVE-2026-21525 |
| Github Copilot | 1 | CVE-2026-21516 |
| Windows Storage | 1 | CVE-2026-21508 |
| Mailslot File System | 1 | CVE-2026-21253 |
| Windows Win32K - GRFX | 1 | CVE-2023-2804 |
| Windows Cluster Client Failover | 1 | CVE-2026-21251 |
| Windows HTTP.sys | 3 | CVE-2026-21250, CVE-2026-21240, CVE-2026-21232 |
| Windows NTLM | 1 | CVE-2026-21249 |
| Windows Kernel | 4 | CVE-2026-21245, CVE-2026-21239, CVE-2026-21231, CVE-2026-21222 |
| Windows LDAP - Lightweight Directory Access Protocol | 1 | CVE-2026-21243 |
| Azure Local | 1 | CVE-2026-21228 |
| Windows GDI+ | 1 | CVE-2026-20846 |
| Windows Notepad App | 1 | CVE-2026-20841 |
Other Information
At the time of publication, there were no new advisories included with the February Security Guidance.
