Overview
- The zero‑days span Windows Shell/SmartScreen (CVE‑2026‑21510), MSHTML and Word security‑feature bypasses, Desktop Window Manager and Remote Desktop privilege escalations, and a RasMan denial‑of‑service.
- CISA added all six flaws to its Known Exploited Vulnerabilities catalog with a March 3, 2026 remediation deadline for federal agencies.
- Google reported the Windows Shell bug (CVE‑2026‑21510) is under widespread, active exploitation that can silently run high‑privilege malware after a single click.
- Microsoft said several bugs were publicly disclosed and exploit details have been published, with the bypasses removing user prompts that raise phishing and one‑click compromise risk while EoP bugs enable SYSTEM‑level escalation once attackers gain access.
- Beyond Windows and Office, Microsoft flagged two critical Azure issues (CVE‑2026‑21531 and CVE‑2026‑24300) and began delivering updated Secure Boot certificates through Windows Update.