Microsoft released the ‘Patch Tuesday’ updates on 10 February 2026. The latest security updates are addressing 6 security vulnerabilities that have been classified as the ‘ZERO DAY’ vulnerabilities.
We look at the 6 Zero-Day vulnerabilities in brief below. Security administrators are advised to install the latest security updates to resolve the vulnerabilities at the earliest.
In this note, we have covered the following Zero-day vulnerabilities reported and fixed on 10 February 2026.
- CVE-2026-21510 – Publicly disclosed and exploited
- CVE-2026-21513 – Publicly disclosed and exploited
- CVE-2026-21514 – Publicly disclosed and exploited
- CVE-2026-21519 – Publicly not disclosed and exploited
- CVE-2026-21525 – Publicly not disclosed and exploited
- CVE-2026-21533 – Publicly not disclosed and exploited
In case you are wondering about zero-day vulnerabilities, it would be prudent to define these here for ready reference. A zero-day vulnerability is a vulnerability that has either already been exploited by the threat actors or has been publicly disclosed for an imminent rise in security threat levels. Zero-day vulnerabilities need to be patched on an immediate basis.
CVE-2026-21510 – Windows Shell Security Feature Bypass Vulnerability
This is a CVSS 8.8 security vulnerability that exploits the CW693 weakness. Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.
This vulnerability affects the following:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
- Windows 10 versions 1607, 1809, 21H2, 22H2
- Windows 11 versions 23H2, 24H2, 25H2, 26H1
CVE-2026-21513-MSHTML Framework Security Feature Bypass Vulnerability
This is a CVSS 8.8 security vulnerability that exploits the weakness CW693. Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
This vulnerability affects the following:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
- Windows 10 versions 1607, 1809, 21H2, 22H2
- Windows 11 versions 23H2, 24H2, 25H2, 26H1
CVE-2026-21514 – Microsoft Word Security Feature Bypass Vulnerability
This is a CVSS 7.8 security vulnerability that exploits the CW807 weakness. Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally. This vulnerability has been already exploited by the threat actors.
This vulnerability affects the following:
- Microsoft Office LTSC for Mac 2024
- Microsoft Office LTSC 2024 for 64-bit editions
- Microsoft Office LTSC 2024 for 32-bit editions
- Microsoft Office LTSC 2021 for 32-bit editions
- Microsoft Office LTSC 2021 for 64-bit editions
- Microsoft Office LTSC for Mac 2021
- Microsoft 365 Apps for Enterprise for 64-bit Systems
- Microsoft 365 Apps for Enterprise for 32-bit Systems
CVE-2026-21519 – Desktop Window Manager Elevation of Privilege Vulnerability
This is a CVSS 7.8 security vulnerability that exploits the CWE843 weakness. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
The vulnerability has already been exploited by threat actors.
This vulnerability affects the following:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
- Windows 10 versions 1607, 1809, 21H2, 22H2
- Windows 11 versions 23H2, 24H2, 25H2, 26H1
CVE-2026-21525 – Windows Remote Access Connection Manager Denial of Service Vulnerability
This vulnerability has a CVSS score of 6.2 and has already been exploited by the threat actors. It involves the exploitation of CWE476 weakness.
Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally.
This vulnerability affects the following:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
- Windows 10 versions 1607, 1809, 21H2, 22H2
- Windows 11 versions 23H2, 24H2, 25H2, 26H1
CVE-2026-21533 – Windows Remote Desktop Services Elevation of Privilege Vulnerability
This is a CVSS 7.8 security vulnerability that has been already exploited by the threat actors. It is based on exploiting the CWE 269 weakness. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
This vulnerability affects the following:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
- Windows 10 versions 1607, 1809, 21H2, 22H2
Simplifying technology, one step at a time.