Microsoft’s February Patch Tuesday Fixes 59 Flaws as Six Zero-Days Are Actively Exploited

Overview

• Microsoft addressed 59 vulnerabilities across Windows, Azure, Office, and developer tools plus two Chromium issues impacting Edge.
• Three publicly exploited security feature bypasses target Windows Shell (CVE-2026-21510), the legacy MSHTML engine (CVE-2026-21513), and Microsoft Word (CVE-2026-21514).
• Three additional exploited flaws include Desktop Window Manager type confusion (CVE-2026-21519), Windows Remote Desktop privilege escalation (CVE-2026-21533), and a Remote Access Connection Manager denial of service (CVE-2026-21525).
• Critical cloud-side issues include two 9.8 CVSS bugs in Azure SDK (CVE-2026-21531) and Azure Front Door (CVE-2026-24300), with SANS noting three critical Azure vulnerabilities were already patched by Microsoft.
• CISA added all six zero-days to its Known Exploited Vulnerabilities catalog, while Microsoft also flagged a Defender for Linux flaw with possible remote code execution (CVE-2026-23655) and patched Chromium bugs in libvpx (CVE-2026-1861) and V8 (CVE-2026-1862).