Microsoft released its February 2026 Patch Tuesday updates on February 10, addressing 54 vulnerabilities, including six zero-days across Windows, Office, Azure, and developer tools.
The updates fix issues in products like Windows Remote Desktop Services, Microsoft Defender, Azure services, GitHub Copilot, Visual Studio Code, Microsoft Exchange, and Office apps.
Severity ratings include two Critical flaws and numerous Important ones, with types including remote code execution (RCE), elevation of privilege (EoP), information disclosure, spoofing, denial-of-service (DoS), and security feature bypass. Microsoft assigns customer action as required for all listed CVEs and urges immediate patching.
| Vulnerability Type | Count |
|---|---|
| Remote Code Execution | 11 |
| Denial of Service | 3 |
| Elevation of Privilege | 23 |
| Information Disclosure | 5 |
| Security Feature Bypass | 5 |
| Spoofing | 7 |
| Total | 54 |
Six zero-days were patched, marked as publicly disclosed and/or exploited prior to release. These include:
Attackers could chain these for broader compromise, such as bypassing protections to execute code or escalate privileges.
Two Critical vulnerabilities demand priority:
| CVE ID | Type | Affected Product | CVSS Implication |
|---|---|---|---|
| CVE-2026-23655 | Information Disclosure | Azure Compute Gallery (ACI Confidential Containers) | Allows sensitive data leak from confidential workloads. |
| CVE-2026-21522 | Elevation of Privilege | Azure Compute Gallery (ACI Confidential Containers) | Enables privilege escalation in container environments. |
These Azure flaws highlight risks in cloud-native confidential computing.
RCE flaws pose high risks in cloud and endpoint tools:
Office issues include spoofing in Outlook (CVE-2026-21527, CVE-2026-21260), info disclosure/EoP in Excel (CVE-2026-21261, CVE-2026-21259, CVE-2026-21258), and Word bypass (CVE-2026-21514). Windows sees EoP in HTTP.sys (CVE-2026-21250), Hyper-V bypass (CVE-2026-21255), and storage (CVE-2026-21508).
Azure-specific: Spoofing in HDInsight (CVE-2026-21529), info disclosure in IoT Explorer SDK (CVE-2026-21528). Other: XSS spoofing in Azure DevOps (CVE-2026-21512).
Elevated risks target developers (Copilot/VS Code), enterprises (Azure/Exchange), and endpoints (Windows/Defender). Exploitation could lead to data theft, lateral movement, or full compromise.
The table below summarizes the CVEs found in the provided text, including links to the official Microsoft Security Response Center (MSRC) pages for each vulnerability, along with their impact, severity, and affected product details.
| CVE ID | Impact | Severity | Vulnerability Title | Product/Component |
| CVE-2026-23655 | Information Disclosure | Critical | Microsoft ACI Confidential Containers Information Disclosure Vulnerability | Azure Compute Gallery |
| CVE-2026-21537 | Remote Code Execution | Important | Microsoft Defender for Endpoint Linux Extension Remote Code Execution Vulnerability | Microsoft Defender for Linux |
| CVE-2026-21533 | Elevation of Privilege | Important | Windows Remote Desktop Services Elevation of Privilege Vulnerability | Windows Remote Desktop |
| CVE-2026-21531 | Remote Code Execution | Important | Azure SDK for Python Remote Code Execution Vulnerability | Azure SDK |
| CVE-2026-21529 | Spoofing | Important | Azure HDInsight Spoofing Vulnerability | Azure HDInsights |
| CVE-2026-21528 | Information Disclosure | Important | Azure IoT Explorer Information Disclosure Vulnerability | Azure IoT SDK |
| CVE-2026-21527 | Spoofing | Important | Microsoft Exchange Server Spoofing Vulnerability | Microsoft Exchange Server |
| CVE-2026-21525 | Denial of Service | Moderate | Windows Remote Access Connection Manager Denial of Service Vulnerability | Windows Remote Access Connection Manager |
| CVE-2026-21523 | Remote Code Execution | Important | GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability | GitHub Copilot and Visual Studio |
| CVE-2026-21522 | Elevation of Privilege | Critical | Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability | Azure Compute Gallery |
| CVE-2026-21519 | Elevation of Privilege | Important | Desktop Window Manager Elevation of Privilege Vulnerability | Desktop Window Manager |
| CVE-2026-21518 | Security Feature Bypass | Important | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability | GitHub Copilot and Visual Studio Code |
| CVE-2026-21517 | Elevation of Privilege | Important | Windows App for Mac Installer Elevation of Privilege Vulnerability | Windows App for Mac |
| CVE-2026-21516 | Remote Code Execution | Important | GitHub Copilot for Jetbrains Remote Code Execution Vulnerability | Github Copilot |
| CVE-2026-21514 | Security Feature Bypass | Important | Microsoft Word Security Feature Bypass Vulnerability | Microsoft Office Word |
| CVE-2026-21513 | Security Feature Bypass | Important | MSHTML Framework Security Feature Bypass Vulnerability | MSHTML Framework |
| CVE-2026-21512 | Spoofing | Important | Azure DevOps Server Cross-Site Scripting Vulnerability | Azure DevOps Server |
| CVE-2026-21511 | Spoofing | Important | Microsoft Outlook Spoofing Vulnerability | Microsoft Office Outlook |
| CVE-2026-21510 | Security Feature Bypass | Important | Windows Shell Security Feature Bypass Vulnerability | Windows Shell |
| CVE-2026-21508 | Elevation of Privilege | Important | Windows Storage Elevation of Privilege Vulnerability | Windows Storage |
| CVE-2026-21261 | Information Disclosure | Important | Microsoft Excel Information Disclosure Vulnerability | Microsoft Office Excel |
| CVE-2026-21260 | Spoofing | Important | Microsoft Outlook Spoofing Vulnerability | Microsoft Office Outlook |
| CVE-2026-21259 | Elevation of Privilege | Important | Microsoft Excel Elevation of Privilege Vulnerability | Microsoft Office Excel |
| CVE-2026-21258 | Information Disclosure | Important | Microsoft Excel Information Disclosure Vulnerability | Microsoft Office Excel |
| CVE-2026-21257 | Elevation of Privilege | Important | GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability | GitHub Copilot and Visual Studio |
| CVE-2026-21256 | Remote Code Execution | Important | GitHub Copilot and Visual Studio Remote Code Execution Vulnerability | GitHub Copilot and Visual Studio |
| CVE-2026-21255 | Security Feature Bypass | Important | Windows Hyper-V Security Feature Bypass Vulnerability | Windows Hyper-V |
| CVE-2026-21253 | Elevation of Privilege | Important | Mailslot File System Elevation of Privilege Vulnerability | Mailslot File System |
| CVE-2026-21251 | Elevation of Privilege | Important | Cluster Client Failover (CCF) Elevation of Privilege Vulnerability | Windows Cluster Client Failover |
| CVE-2026-21250 | Elevation of Privilege | Important | Windows HTTP.sys Elevation of Privilege Vulnerability | Windows HTTP.sys |
Prioritize critical and zero-day patches via Windows Update or WSUS; test in staging environments. Enable auto-updates, monitor MSRC for revisions, and audit Azure/Office configs. CISA may add top CVEs to the KEV catalog soon.
Tyler Reguly, Associate Director of Fortra, stated to Cybersecurity News that “On first pass, this month looks pretty reasonable – 60 CVEs, including one assigned by the Chrome CNA. When you look a little more closely, you start to realize that there is a lot going on here. February can be a bit of a cold, dull month, but Microsoft has decided to heat things up a bit. The good news, there’s not a lot of CVEs to deal with, the bad news, there’s actually a lot to unpack here. We can’t ignore the fact that there are 6 actively exploited vulnerabilities included in this month’s patch drop. 10% of this month’s vulnerabilities are listed by Microsoft as exploit detected.”
Powered by
