February Patch Tuesday: Microsoft drops six zero-days

Microsoft has launched fixes for six newly-classified zero-day widespread vulnerabilities and exposures (CVEs) on the second month-to-month Patch Tuesday of 2026, amid a launch comprising over 50 flaws that run the complete gamut of Microsoft’s product suite.

Though the entire variety of flaws is down by about half on January’s bumper crop, it’s about on par for this time of 12 months, defined Dustin Childs of Pattern Micro’s Zero Day Initiative (ZDI), nonetheless, he added, the quantity beneath energetic assault is “terribly excessive”.

Certainly, with all six zero-days beneath energetic exploitation within the wild, and three of them already made public, Childs famous: “We’ll see if we’re on our solution to one other ‘scorching exploit summer time’ as we noticed a number of years in the past or if that is simply an aberration.”

The three ‘basic’ zero-days are all safety characteristic bypass (SFB) vulnerabilities, tracked variously as CVE-2026-21510 in Home windows SmartScreen, CVE-2026-21514 in Microsoft Phrase, and CVE-2026-21513 in Web Explorer.

The three zero-days for which exploit proofs of idea (PoCs) haven’t but been made public are tracked as CVE-2026-21519, an elevation of privilege (EoP) flaw in Desktop Window Supervisor, CVE-2026-21525, a denial of service (DoS) flaw in Home windows Distant Entry Connection Supervisor, and at last, CVE-2026-21533, an EoP flaw in Home windows Distant Desktop Companies.

Seth Hoyt, senior safety engineer at endpoint safety platform Automox, stated the flaw in Home windows Shell was significantly harmful as a result of its impact is basically to neutralise the essential SmartScreen characteristic in Microsoft Defender.

“SmartScreen serves as a important checkpoint: once you obtain an executable or doc, it prompts you to verify whether or not you belief the supply. This bypass removes that checkpoint totally,” he stated. “Information from the web execute with out triggering the same old warning dialog, giving attackers a clear path to run malicious code as soon as a person clicks a phishing hyperlink.

“The assault nonetheless requires person interplay, however with one much less safety immediate in the way in which, the barrier to profitable exploitation drops significantly,” stated Hoyt.

Past patching, he suggested defenders to be alert to uncommon cmd.exe or PowerShell exercise within the wake of a file obtain, or odd processes spawning from information in Downloads or short-term directories that don’t have corresponding SmartScreen occasions logged. It’s also value making use of endpoint hardening measures corresponding to Assault Floor Discount guidelines.

Hoyt added that CVE-2026-21514 works in a similar way and ought to be handled in the identical phrases.

In the meantime, Jack Bicer, vulnerability analysis director at patch administration specialist Action1, turned to the MSHTML Framework flaw in Web Explorer, CVE-2026-21513.

“The MSHTML Framework [is] a core part utilized by Home windows and a number of functions to render HTML content material,” he stated. “[CVE-2026-21513] is brought on by a safety mechanism failure that permits attackers to bypass execution prompts when customers work together with malicious information. A crafted file can silently bypass Home windows safety prompts and set off harmful actions with a single click on.

“Exploitation happens over the community and requires person interplay, corresponding to opening a malicious HTML file or clicking a shortcut delivered through e mail, hyperlink, or obtain. No privileges are required by the attacker,” he added.

Bicer defined that such SFB flaws considerably improve the success charge of phishing and campaigns that finally have impacts far past embarrassment for the one one that by accident clicked on one thing with out considering. In enterprise environments they develop into a gateway to an entire host of nasties, together with unauthorised code execution, malware and ransomware deployment, credential and knowledge theft, and different compromises.