February 2026 Patch Tuesday: Six Zero-Days Among 59 CVEs Patched

• Patch Tuesday 2026 fixed 59 CVEs, including six critical zero‑days. • CVE‑2026‑21533: Windows Remote Desktop elevation of privilege, CVSS 7.8. • Exploit modifies service config key, enabling admin user creation. • CrowdStrike traced attacks to U.S./Canada since Dec 24 2025. • CVE‑2026‑21513: MSHTML Framework bypass, CVSS 8.8, active exploitation. • Public disclosure may spur threat actors to monetize exploits.

Article Summaries:

• Actively Exploited Zero-Day Vulnerability in Windows Remote Desktop CVE-2026-21533 is an Important elevation of privilege vulnerability affecting Windows Remote Desktop Services and has a CVSS score of 7.8. Microsoft has confirmed this vulnerability is being actively exploited in the wild but had not been publicly disclosed. CrowdStrike identified and reported this vulnerability to Microsoft. The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Adminis
• Microsoft’s February 2026 Patch Tuesday fixed six zero‑day flaws among 59 total CVEs, spotlighting three that had been actively exploited. CVE‑2026‑21533, an elevation‑of‑privilege bug in Windows Remote Desktop Services (CVSS 7.8), was identified by CrowdStrike and has targeted U.S. and Canadian entities since late December 2025. CVE‑2026‑21513 (CVSS 8.8) and CVE‑2026‑21510 (CVSS 8.8) are security‑feature bypasses in the MSHTML framework and Windows Shell, respectively; both are publicly disclosed and already in the wild. Microsoft’s disclosure is likely to prompt further exploitation by actors holding the exploit binaries.
• Microsoft released its February 2026 Patch Tuesday update, addressing 59 CVEs, including six zero‑day vulnerabilities. Three of the most critical were actively exploited in the wild: CVE‑2026‑21533, an elevation‑of‑privilege flaw in Windows Remote Desktop Services (CVSS 7.8) reported by CrowdStrike; CVE‑2026‑21513, a security‑feature bypass in the MSHTML framework (CVSS 8.8); and CVE‑2026‑21510, a bypass of Windows SmartScreen and Shell prompts (CVSS 8.8). The patches mitigate risks that could allow attackers to execute code or add privileged users after convincing victims to open malicious files or links.
• Microsoft released its February 2026 Patch Tuesday update, addressing six zero‑day vulnerabilities among 59 total CVEs. Three of the patched flaws were actively exploited in the wild: CVE‑2026‑21533, an elevation‑of‑privilege bug in Windows Remote Desktop Services (CVSS 7.8), reported by CrowdStrike; CVE‑2026‑21513, a security‑feature bypass in the MSHTML framework (CVSS 8.8) that lets attackers trick users into executing malicious HTML or shortcut files; and CVE‑2026‑21510, a similar bypass in Windows Shell (CVSS 8.8) that defeats SmartScreen warnings. Microsoft confirmed exploitation for all three and warned that public disclosure could spur further use or monetization by threat actors.
• Microsoft released patches for six zero‑day vulnerabilities as part of its February 2026 Patch Tuesday, bringing the total to 59 CVEs addressed. Three of the zero‑days were actively exploited in the wild: CVE‑2026‑21533, an elevation‑of‑privilege flaw in Windows Remote Desktop Services (CVSS 7.8); CVE‑2026‑21513, a security‑feature bypass in the MSHTML framework (CVSS 8.8); and CVE‑2026‑21510, a bypass of Windows SmartScreen and Shell prompts (CVSS 8.8). CrowdStrike identified and reported the Remote Desktop flaw, and Microsoft confirmed active exploitation for all three. The disclosure may encourage further use of the exploits.

Sources:

• https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-february-2026/