Microsoft Releases February 2026 Security Updates

Scheduled updates for Microsoft products address 58 vulnerabilities, including six actively exploited vulnerabilities

Threat ID:: CC-4744
Threat Severity:: Medium
Published:: 11 February 2026 2:18 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Scheduled updates for Microsoft products address 58 vulnerabilities, including six actively exploited vulnerabilities

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows Server

The following platforms are also known to be affected:

Multiple other Microsoft platforms. Please see Microsoft's February 2026 Security Update guide for full details.

Threat details

Exploitation in the wild

The US Cybersecurity and Infrastructure Security Agency (CISA) has added six vulnerabilities listed bellow to their Known Exploited Vulnerabilities (KEV) Catalog.

CVE-2026-21510
CVE-2026-21513
CVE-2026-21514
CVE-2026-21519
CVE-2026-21525
CVE-2026-21533

The NHS England National CSOC assesses exploitation as highly likely.

Introduction

Microsoft has released security updates to address 58 vulnerabilities in Microsoft products. Six exploited vulnerabilities are highlighted below.

CVE-2026-21510 - 'Windows Shell Security Feature Bypass' Vulnerability - CVSSv3 score: 8.8
CVE-2026-21513 - 'MSHTML Framework Security Feature Bypass' Vulnerability - CVSSv3 score: 8.8
CVE-2026-21514 - 'Microsoft Word Security Feature Bypass' Vulnerability - CVSSv3 score: 7.8
CVE-2026-21519 - 'Microsoft Word Security Feature Bypass' Vulnerability - CVSSv3 score: 7.8
CVE-2026-21525 - 'Desktop Window Manager Elevation of Privilege' Vulnerability - CVSSv3 score: 7.8
CVE-2026-21533 - 'Windows Remote Desktop Services Elevation of Privilege' Vulnerability - CVSSv3 score: 7.8

Remediation advice

Affected organisations are encouraged to review Microsoft's February 2026 Security Updates and apply the relevant updates as soon as possible.

Definitive source of threat updates

https://msrc.microsoft.com/update-guide/releaseNote/2026-Feb

CVE Vulnerabilities

Status Published

CVE-2026-21510

Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.

Status Published

CVE-2026-21513

Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.

Status Published

CVE-2026-21514

Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.

Status Published

CVE-2026-21519

Access of resource using incompatible type ('type confusion') in Desktop Window Manager allows an authorized attacker to elevate privileges locally.

Status Published

CVE-2026-21525

Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally.

Status Published

CVE-2026-21533

Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.

Last edited: 11 February 2026 2:18 pm