Back
Technology

Microsoft Releases Extensive Security Updates in Early 2026, Addressing Multiple Actively Exploited Zero-Day Vulnerabilities

Generated on: Last updated: 7 sources
View source

Microsoft's January & February 2026 Security Roundup: Over 170 Vulnerabilities Addressed, Multiple Zero-Days Exploited

Microsoft initiated 2026 with a robust series of security updates in January and February, collectively patching over 170 vulnerabilities across Windows operating systems and supported software. These critical releases addressed a significant threat landscape, including fixes for multiple actively exploited zero-day flaws and numerous critical vulnerabilities impacting core components like the Desktop Window Manager, Microsoft Office, and Windows Shell.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) underscored the severity of these issues by adding several actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, imposing strict patching deadlines for federal agencies.

January 2026 Security Updates

Microsoft's initial security update for 2026 was substantial, addressing 113 or 114 security vulnerabilities. This comprehensive release included fixes for eight critical vulnerabilities and three zero-day vulnerabilities. Notably, one zero-day was actively exploited in real-world scenarios, while two others were publicly disclosed prior to the patch release.

Key Vulnerabilities Addressed

  • CVE-2026-20805 (Desktop Window Manager Information Disclosure): This actively exploited zero-day flaw, with a CVSS score of 5.5, allowed a local, authorized attacker to disclose user-mode memory information. Security experts highlighted its potential use in bypassing Address Space Layout Randomization (ASLR) and facilitating complex exploits when combined with a code execution flaw. This vulnerability affected all currently supported Windows OS versions, with CISA mandating federal agencies to patch by February 3, 2026.

  • CVE-2026-21265 (Windows Secure Boot Bypass): A publicly disclosed critical Security Feature Bypass vulnerability (CVSS 6.4), this update focused on renewing Windows Secure Boot certificates from 2011 that were nearing expiration. The aim was to maintain the Secure Boot trust chain and ensure the continued verification of boot components, preventing potential booting disruptions that Microsoft had warned about in November 2025.

  • CVE-2023-31096 (Windows Agere Soft Modem Driver Elevation of Privilege): This publicly disclosed zero-day vulnerability involved the removal of agrsm64.sys and agrsm.sys modem drivers from Windows. These outdated third-party drivers, developed by a defunct entity, were susceptible to a local privilege escalation flaw with known exploit code, potentially granting SYSTEM permissions to an attacker.

Other Notable Vulnerabilities

  • Microsoft Office Remote Code Execution: Two critical vulnerabilities (CVE-2026-20952 and CVE-2026-20953) in Microsoft Office could be triggered simply by viewing a malicious message in the Preview Pane.
  • Windows Virtualization-Based Security (VBS) Enclave Privilege Escalation (CVE-2026-20876): Rated Critical (CVSS 6.7), this flaw could allow an attacker to obtain Virtual Trust Level 2 (VTL2) privileges, potentially subverting security controls and achieving persistence.

The January update was categorized to include approximately:

  • 57-58 privilege escalation flaws
  • 21-22 remote code execution flaws
  • 22 information disclosure flaws
  • 5 spoofing flaws
  • 3 security feature bypass flaws
  • 2 denial of service vulnerabilities

Emergency Out-of-Band Office Update (CVE-2026-21509)

In an urgent response to active threats, Microsoft released out-of-band security patches to address CVE-2026-21509, a high-severity zero-day vulnerability in Microsoft Office. This flaw was actively exploited in real-world attacks and was described as a security feature bypass with a CVSS score of 7.8.

The vulnerability allowed attackers to bypass built-in protections designed to block unsafe COM and OLE controls, posing a significant risk to Office users.

  • Affected Versions and Exploitation: The vulnerability impacted Microsoft Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise. Exploitation required an attacker to send a malicious Office file and convince the user to open it; importantly, the Office preview pane was not an attack vector for this particular flaw.
  • Patching and Mitigation: Patches were promptly made available for most supported Office versions. For Office 2021 and later, protection was delivered through service-side changes, while users of Office 2016 and 2019 required specific updates. Microsoft also offered an alternative mitigation involving a manual Windows Registry change to enforce compatibility flags, effectively blocking a specific vulnerable COM object.
  • Limited Disclosure: Microsoft maintained a limited disclosure policy regarding the specific details of attacks leveraging CVE-2026-21509, including the nature or scope of exploitation and the identities of involved threat actors. CISA added this vulnerability to its KEV catalog, requiring federal agencies to apply patches by February 16, 2026.

February 2026 Security Updates

Microsoft's February 2026 Patch Tuesday continued the trend of critical updates, addressing a total of 58 vulnerabilities. This release included five critical flaws and, alarmingly, six actively exploited zero-day vulnerabilities. Three of these zero-days had also been publicly disclosed prior to the patch release.

Actively Exploited Zero-Day Vulnerabilities

  • CVE-2026-21510 (Windows Shell Security Feature Bypass): This critical flaw allowed attackers to bypass Windows SmartScreen and Shell security prompts. Attackers could convince a user to open a malicious link or shortcut file, leading to the execution of attacker-controlled content without user warning. Google's Threat Intelligence Group confirmed active exploitation.
  • CVE-2026-21513 (MSHTML Framework Security Feature Bypass): An actively exploited vulnerability in the MSHTML framework where a protection mechanism failure allowed an unauthorized network attacker to bypass a security feature.
  • CVE-2026-21514 (Microsoft Word Security Feature Bypass): This vulnerability in Microsoft Word could be exploited by convincing a user to open a malicious Office file. It specifically bypassed OLE mitigations in Microsoft 365 and Microsoft Office, though it was not exploitable through the Office Preview Pane.
  • CVE-2026-21519 (Desktop Window Manager Elevation of Privilege): Another actively exploited flaw in the Desktop Window Manager, this could allow an attacker to gain SYSTEM privileges.
  • CVE-2026-21525 (Windows Remote Access Connection Manager Denial of Service): This actively exploited vulnerability involved a null pointer dereference, enabling a local denial of service. An exploit for this issue was discovered in a public malware repository.
  • CVE-2026-21533 (Windows Remote Desktop Services Elevation of Privilege): This flaw involved improper privilege management in Windows Remote Desktop Services, allowing an authorized local attacker to elevate privileges. Observed exploits modified service configuration to enable adding a new user to the Administrator group.

Secure Boot Certificates Update

As part of the February updates, Microsoft initiated the phased rollout of new Secure Boot certificates. These certificates are crucial replacements for the original 2011 certificates, which are set to expire in late June 2026, ensuring continued system integrity during the boot process.

Vulnerability Categories

The February updates included:

  • 25 Elevation of Privilege vulnerabilities
  • 5 Security Feature Bypass vulnerabilities
  • 12 Remote Code Execution vulnerabilities
  • 6 Information Disclosure vulnerabilities
  • 3 Denial of Service vulnerabilities
  • 7 Spoofing vulnerabilities

Additional Vendor Updates

Beyond Microsoft's extensive patches, other vendors also released critical security updates during this period. Mozilla issued updates for Firefox (version 147) and Firefox ESR (version 140.7), resolving a total of 34 vulnerabilities, two of which were suspected to be under active exploitation. Updates for Google Chrome and Microsoft Edge were also anticipated or released to address various vulnerabilities, including a high-severity vulnerability in Chrome WebView (CVE-2026-0628).