Microsoft Fixes Six Zero Day Vulnerability in February Patch Tuesday
Microsoft Fixes Six Zero Day Vulnerability in February Patch Tuesday
https://www.infosecurity-magazine.com/news/microsoft-six-zero-day-feb-2026/
Publish Date: 2026-02-11 04:50:00
Source Domain: www.infosecurity-magazine.com
System administrators are likely to have a busy February after Microsoft released updates to fix six actively exploited zero-day vulnerabilities, three of which have been publicly disclosed.
The zero-days are as follows:
- CVE-2026-21510 is a security feature bypass vulnerability in Windows Shell which enables unauthorized attackers to circumvent Windows SmartScreen and security prompt protections by tricking victims into clicking on a malicious link
- CVE-2026-21513 is a security feature bypass vulnerability in the Microsoft MSHTML Framework, which is used by Windows and various applications to render HTML content. “A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click,” warned Action1 director of vulnerability research, Jack Bicer
- CVE-2026-21514 is a security feature bypass vulnerability in Microsoft Word. Exploitation requires no privileges but the victim must open a malicious document
- CVE-2026-21519 is an elevation of privilege (EoP) flaw in the Windows Desktop Window Manager (DWM) which allows attackers turn basic access into full system control. It’s unclear how it is being exploited
- CVE-2026-21525 is a denial-of-service vulnerability affecting the Windows Remote Access Connection Manager. “Exploitation is local, requires no privileges, and does not rely on user interaction,” explained Action1 president, Mike Walters. “An attacker with basic local access can repeatedly trigger the flaw to cause persistent service disruption.”
- CVE-2026-21533 is another EoP vulnerability in Windows Remote Desktop Services. Exploitation is local, requires only low privileges, and does not need user interaction, noted Bicer
Read more on Patch Tuesday: Microsoft Fixes Three Zero-Days on Busy Patch Tuesday.
In total this month, most CVEs disclosed by Microsoft were EoP (25), followed by remote code execution (12), spoofing (7), information disclosure (6) and security feature bypass (5).
None of…
