Microsoft’s February 2026 Patch Tuesday is a heavy one. Over 50 vulnerabilities patched, six of which are zero-days already being exploited in the wild.
The Zero-Days
These are the flaws attackers are using right now:
- CVE-2026-21510 (Windows Shell) — A malicious link can bypass security protections with no warning to the user.
- CVE-2026-21513 (MSHTML) — Security feature bypass in the web browser engine.
- CVE-2026-21514 (Microsoft Word) — Related security bypass triggered through document handling.
- CVE-2026-21533 (Windows RDS) — Local privilege escalation to SYSTEM. If an attacker is already on the box, this gets them full control.
- CVE-2026-21519 (Desktop Window Manager) — Another privilege elevation — the second DWM zero-day in two months.
- CVE-2026-21525 (Remote Access Connection Manager) — Denial-of-service that can knock out VPN connectivity.
AI Tooling Gets Its Own Patch
Also notable: Microsoft patched remote code execution flaws in GitHub Copilot, VS Code, Visual Studio, and JetBrains IDEs. The root cause is command injection via prompt injection — AI agents being tricked into running attacker-controlled commands.
The recommendation from researchers: apply least-privilege principles to any AI coding agents, and limit what credentials they can access.
What to Do
Patch. Don’t wait. The actively exploited flaws cover everyday components — the Windows shell, Word documents, the browser engine, and VPN infrastructure. These aren’t edge cases.
For our managed clients, we’re already rolling these updates out. If you handle your own patching, prioritize the six zero-days above and test promptly.