Summary
- Total CVEs fixed: 58 (Microsoft‑tracked)
- Actively exploited zero‑days: 6
- Critical severity flaws: 5
- By category: 25 Elevation of Privilege, 5 Security Feature Bypass, 12 RCE, 6 Info Disclosure, 3 DoS, 7 Spoofing
- Immediate priority patches (our shortlist): Zero‑days in Windows Shell (CVE‑2026‑21510), MSHTML (CVE‑2026‑21513), Microsoft Word (CVE‑2026‑21514), and Desktop Window Manager (CVE‑2026‑21519)—patch on expedited change windows; monitor for exploitation indicators.
- References: Microsoft Release Notes, MSRC Update Guide, plus independent briefs from BleepingComputer, Qualys, and Lansweeper. [bleepingcomputer.com], [blog.qualys.com], [lansweeper.com]
Key Takeaways for Security & IT
- User‑initiated attack paths remain dominant. Three of the six zero‑days are security feature bypasses in Shell/MSHTML/Word that rely on enticing users to open files/links—align detections for Mark‑of‑the‑Web bypass behaviors and tighten attachment/link filtering.
- Privilege elevation continues to lead the pack. With 25 EoP bugs, harden endpoint least‑privilege and ensure rapid patching on high‑exposure workstations and VDI farms.
- Plan for staged rollouts but move fast. The combination of 6 in‑the‑wild zero‑days and a relatively modest total volume (58) favors an accelerated patch cycle this month.
Zero‑Day Vulnerabilities (Actively Exploited)
Microsoft reports six zero‑days exploited in the wild this month. The following five are publicly detailed across industry summaries; Microsoft has not widely highlighted all technical specifics at publication time. Patch on expedited timelines. [bleepingcomputer.com]
CVE‑2026‑21510 — Windows Shell Security Feature Bypass
- Type: Security Feature Bypass
- Vector: Malicious link/shortcut; bypasses SmartScreen/Shell prompts to run attacker‑controlled content without warnings.
- Affected: Windows Shell components (multiple Windows versions).
- Secure Chain recommendation: Patch immediately; hard‑block .LNK from untrusted sources; strengthen attachment sandboxing. [bleepingcomputer.com]
CVE‑2026‑21513 — MSHTML Framework Security Feature Bypass
- Type: Security Feature Bypass
- Vector: Crafted HTML/shortcut content; remote delivery possible (email/web).
- Secure Chain recommendation: Patch immediately; disable legacy IE/ActiveX surfaces where possible; enforce Protected View for Office downloads. [bleepingcomputer.com]
CVE‑2026‑21514 — Microsoft Word Security Feature Bypass
- Type: Security Feature Bypass
- Vector: Malicious Office document; not triggerable via Preview Pane.
- Secure Chain recommendation: Patch immediately; enforce Office File Block and Protected View; strip OLE/ActiveX where feasible. [bleepingcomputer.com]
CVE‑2026‑21519 — Desktop Window Manager Elevation of Privilege
- Type: Elevation of Privilege
- Impact: Local elevation to SYSTEM.
- Secure Chain recommendation: Patch immediately on all user endpoints; review EDR detections for suspicious DWM process chains. [bleepingcomputer.com]
CVE‑2026‑21525 — Remote Access Connection Manager Denial of Service
- Type: DoS; found exploited in the wild.
- Impact: Local service disruption; may be paired with other techniques.
- Secure Chain recommendation: Patch during the same expedited window; monitor RASMAN crash telemetry. [bleepingcomputer.com]
Note: Industry recaps consistently cite six zero‑days for February; the above five are those publicly detailed in multiple sources. Continue to monitor MSRC for any late‑breaking IDs and revise priorities accordingly. [bleepingcomputer.com], [blog.qualys.com]
Critical Severity Vulnerabilities
Microsoft labels five issues as Critical this month. While several are EoP or Info Disclosure (unusual for “Critical”), their exploitation complexity and potential blast radius warrant early‑phase remediation—especially on internet‑exposed or high‑privilege assets. (See our CVE table for roll‑up.) [bleepingcomputer.com]
Breakdown by Vulnerability Category (Microsoft)
- Elevation of Privilege (EoP): 25
- Remote Code Execution (RCE): 12
- Security Feature Bypass: 5
- Information Disclosure: 6
- Denial of Service: 3
- Spoofing: 7 [bleepingcomputer.com]
Context from industry trackers (Qualys, Lansweeper) aligns with the emphasis on exploited SFB/EoP items and recommends fast rollout. [blog.qualys.com], [lansweeper.com]
Secure Chain Priority Patch Guidance (Order of Operations)
- All six zero‑days, prioritizing CVE‑2026‑21510 / 21513 / 21514 / 21519 on user endpoints and Office footprints. [bleepingcomputer.com]
- Critical‑rated vulnerabilities on servers and domain‑joined endpoints, especially those with network‑exposed vectors. [blog.qualys.com]
- High‑prevalence EoP affecting core Windows components (reduce lateral movement headroom). [bleepingcomputer.com]
- RCEs with low attack complexity in client components or services likely touched by untrusted content. [blog.qualys.com]
- Remaining important‑severity flaws in standard cycles, but compress windows this month due to the zero‑day set. [lansweeper.com]
CVE Summary Table (Sample)
The counts below reflect Microsoft/industry synopses available as of Feb 11, 2026.
| CVE | Severity | Exploited? | Component / Area | Impact / Notes | Secure Chain Action |
|---|---|---|---|---|---|
| CVE‑2026‑21510 | Important | Yes | Windows Shell | SFB; SmartScreen/Shell prompts bypass | Patch immediately; tighten file/link controls [bleepingcomputer.com] |
| CVE‑2026‑21513 | Important | Yes | MSHTML Framework | SFB via crafted HTML/LNK | Patch immediately; reduce legacy IE surfaces [bleepingcomputer.com] |
| CVE‑2026‑21514 | Important | Yes | Microsoft Word | SFB; not triggerable via Preview Pane | Patch immediately; enforce File Block/Protected View [bleepingcomputer.com] |
| CVE‑2026‑21519 | Important | Yes | Desktop Window Manager | EoP to SYSTEM | Patch immediately; watch DWM chains in EDR [bleepingcomputer.com] |
| CVE‑2026‑21525 | Important | Yes | Remote Access Conn. Manager | DoS; exploited in wild | Patch quickly; monitor service health [bleepingcomputer.com] |
| (Multiple) | Critical | No data | Various | Microsoft lists 5 Critical vulnerabilities this month | Patch in early phase post zero‑days [bleepingcomputer.com] |
Known Issues & Workarounds
- Microsoft has been rolling out updated Secure Boot certificates and using telemetry‑gated delivery to ensure safe phasing—plan for staggered uptake and verify device eligibility during patch rollout. [bleepingcomputer.com]
- Track Windows 11 cumulative updates (KB5077181/KB5075941) behavior in pilot rings for any Wi‑Fi/WPA3 and gaming/driver regressions addressed this cycle before broad deployment. [bleepingcomputer.com]
Deployment Notes for IT
- Pilot → phased deploy within 24–72 hours for user endpoints; servers within 3–5 days, prioritizing internet‑facing workloads.
- Reboots: Required for most OS patches; coordinate with service owners.
- Policy hygiene: Revisit Office Protected View, SmartScreen, File Block, and attachment handling rules—especially given multiple SFB zero‑days.
Authoritative Sources & Further Reading
- BleepingComputer: “Microsoft February 2026 Patch Tuesday fixes 6 zero‑days, 58 flaws.” [bleepingcomputer.com]
- Qualys Blog: Monthly Patch Tuesday overview, Feb 2026. [blog.qualys.com]
- Lansweeper: Patch Tuesday February 2026 recap & audit tips. [lansweeper.com]
- SANS ISC: Recent Patch Tuesday context from Jan 2026 (for comparison of monthly trends). [isc.sans.edu]
Secure Chain Commentary
The February release again underscores how social‑engineering‑assisted bypasses (Shell/MSHTML/Word) and rapid privilege elevation can be chained for effective endpoint compromise. We recommend compressed patch windows this month and renewed emphasis on content isolation (Protected View/File Block), AppLocker/WDAC, and user education targeting shortcut/link hygiene.
About Secure Chain Technology Group
Secure Chain Technology Group helps organisations shrink time‑to‑patch and reduce breach exposure through pragmatic vulnerability management, Patch Tuesday oversight, and hands‑on remediation support across Microsoft estates
