• I have survived the biggest Pwn2Own ever, but I’m back in Tokyo for the second Patch Tuesday of 2026. • My location never stops Patch Tuesday from coming, so let’s take a look at the latest security patches from Adobe and Microsoft. • If you’d rather watch the full video recap covering the entire release, you can check it out here: Adobe Patches for February 2026 For February, Adobe released nine bulletins addressing 44 unique CVEs in Adobe Audition, After Effects, InDesign, Substance 3D Designer, Substance 3D Stager, Adobe Bridge, Substance 3D Modeler, Lightroom Classic, and the Adobe DNG Software Development Kit (SDK). • The largest update here is for After Effects, which fixes 13 Critical and two Important rated bugs. • The patch for Substance 3D Designer is on the larger side with seven fixes, but only two of those are Critical. • On the other hand, the fix for Substance 3D Stager corrects five Critical-rated bugs that could lead to code execution.

Article Summaries:

  • February 2026 Security Update Review

Adobe issued nine security bulletins covering 44 CVEs across its creative suite, with the largest patch for After Effects (13 critical bugs) and significant fixes for Substance 3D Designer and Stager. All Adobe updates were priority 3 and none were publicly exploited at release. Microsoft released 58 new CVEs (62 when including third‑party Chromium fixes), including five critical, two moderate, and the rest important. Six of these vulnerabilities were actively exploited at the time of Patch Tuesday, three of which were publicly known, notably CVE‑2026‑21510, a Windows Shell bypass that allows code execution with user interaction. The month’s patch cycle reflects a heightened exploitation landscape, raising concerns about a potential “hot exploit summer.”

  • Microsoft released its February 2026 Patch Tuesday, addressing more than 50 security vulnerabilities across Windows and related software. The update includes six zero‑day flaws: CVE‑2026‑21510 (Windows Shell bypass), CVE‑2026‑21513 (MSHTML), CVE‑2026‑21514 (Word), CVE‑2026‑21533 (Remote Desktop Services privilege escalation), CVE‑2026‑21519 (Desktop Window Manager), and CVE‑2026‑21525 (Remote Access Connection Manager denial‑of‑service). Additional patches fix remote code‑execution bugs in GitHub Copilot and IDEs (VS Code, Visual Studio, JetBrains) caused by prompt injection. Microsoft also issued out‑of‑band fixes in January for remote desktop and Office vulnerabilities. Administrators are advised to test patches and back up data before deployment.
  • Microsoft’s February 2026 Patch Tuesday addressed 59 vulnerabilities across its product line, including two “Critical” flaws in Microsoft ACI Confidential Containers (CVE‑2026‑21522 and CVE‑2026‑23655) that allow privilege escalation and information disclosure. The update also covers five “Important” vulnerabilities that are actively exploited, such as security‑feature bypasses in Windows Shell (CVE‑2026‑21510) and MSHTML (CVE‑2026‑21513), and privilege‑escalation issues in Desktop Window Manager (CVE‑2026‑21519) and Remote Desktop Services (CVE‑2026‑21533). A moderate denial‑of‑service flaw (CVE‑2026‑21525) in Remote Access Connection Manager is also noted. Additional important bugs affect Azure, Notepad, GitHub Copilot components, and Hyper‑V.
  • Microsoft’s February 2026 Patch Tuesday released 59 security updates, including six zero‑day vulnerabilities that are actively exploited. The flaws span Windows Shell (CVE‑2026‑21510), MSHTML (CVE‑2026‑21513), Microsoft Word (CVE‑2026‑21514), Desktop Window Manager (CVE‑2026‑21519), Remote Access Connection Manager (CVE‑2026‑21525), and Remote Desktop Services (CVE‑2026‑21533). They range from security‑feature bypasses that allow attackers to suppress SmartScreen prompts or weaken sandbox checks, to local elevation‑of‑privilege and denial‑of‑service issues. All require user interaction or local execution, but the patches mitigate the risks across Windows, Internet Explorer, Office, and remote‑access services.

Sources: