6 Actively Exploited Zero-Days Patched by Microsoft With February 2026 Updates

Microsoft’s February 2026 Patch Tuesday updates fix roughly 60 vulnerabilities found in the company’s products, including six actively exploited zero-days.

The zero-days are:

• CVE-2026-21510: a Windows SmartScreen and Windows Shell security prompts bypass that can be exploited by convincing the targeted user to open a malicious link or shortcut file.
• CVE-2026-21514: a vulnerability that allows an attacker to bypass OLE mitigations in Microsoft 365 and Office by tricking the target into opening a malicious Office file.
• CVE-2026-21513: an Internet Explorer issue that allows an attacker to bypass security controls and potentially execute code by convincing the victim to open a malicious HTML or LNK file.
• CVE-2026-21519: a Windows Desktop Window Manager flaw that can be exploited by a local attacker for privilege escalation.
• CVE-2026-21533: a Windows Remote Desktop Services vulnerability that allows an attacker to escalate privileges to System.
• CVE-2026-21525: a Windows Remote Access Connection Manager bug that ...