February’s Patch Tuesday release fixes 59 flaws, including 6 being exploited
Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. The company’s Patch Tuesday release for February addresses 59 CVEs across the company’s product family — roughly half the volume of January’s 159 patches.
Six vulnerabilities, affecting Windows Shell, MSHTML, Desktop Window Manager, Remote Desktop, Remote Access, and Microsoft Word, are already being actively exploited. (All five Critical-rated CVEs target Azure services rather than Windows, however.)
Both Windows and Office get a “Patch Now “recommendation, with CISA setting a March 3 enforcement deadline for all six exploited vulnerabilities. Two new enforcement timelines also take effect in April: Kerberos RC4 deprecation (CVE-2026-20833) and Windows Deployment Services hardening (CVE-2026-0386).
(More information about recent Patch Tuesday releases is available here.)
Known issues
February is a notably clean month for known issues. All three desktop KB articles — KB5077181 (Windows 11 25H2/24H2), KB5075941 (Windows 11 23H2), and KB5075912 (Windows 10 22H2) — explicitly state that Microsoft is not currently aware of any issues. This is a welcome contrast to January, which was one of the rougher months in recent memory.
Two ongoing known issues remain:
CVE-2025-59287: Windows Server Update Services (WSUS) — Error reporting intentionally disabled since October 2025 to mitigate this critical CVSS 9.8 unauthenticated RCE. Synchronization error details remain suppressed and Microsoft has not yet posted a fix or remediation strategy.
Windows Update Standalone Installer (WUSA) — Fails to install .msu packages from network shares containing multiple .msu files (ERROR_BAD_PATHNAME). This vulnerability has been mitigated via a Known Issue Rollback policy.
Issues resolved this month
February’s cumulative updates resolve several issues from January’s less-than-glorious cycle:
Windows Secure Launch — VSM shutdown and hibernation failure on Intel processors; devices restarted instead of powering off. Fixed in KB5077181, KB5075941, and KB5075912.
Microsoft OneDrive / Microsoft Outlook — Cloud storage integrations caused applications to hang when opening or saving files. (Now included in this month’s cumulative updates.)
These issues were originally addressed through three separate emergency out-of-band releases: (KB5077744 on Jan. 17, KB5078127 on Jan. 24, and the Jan. 29 preview). Organizations that deferred those updates will receive the fixes in this month’s cumulative package. But the operational regressions were only part of January’s disruption; Microsoft also shipped an emergency security patch for an actively exploited Office zero-day on Jan. 26.
Major revisions and mitigations
That emergency out-of-band security update for Office vulnerability was the only major inter-cycle security revision this month:
CVE-2026-21509 (Microsoft Office) — Security feature bypass that circumvents OLE mitigations, exposing users to vulnerable COM/OLE controls via malicious documents. CVSS 7.8; the Preview Pane is not an attack vector. Added to the CISA KEV catalog with a federal remediation deadline of Feb. 16 (this coming Monday), no further action is needed if the out-of-band update was already applied.
Windows lifecycle and enforcement updates
Two new enforcement timelines were introduced with the January updates, alongside several ongoing transitions that enterprise teams should be tracking. As we noted in January, the Secure Boot certificate deadlines remain the most time-sensitive:
CVE-2026-20833 — Windows Kerberos — RC4 encryption is being phased out for service account ticket issuance. In April: default changes to AES-SHA1 for accounts without an explicit msds-SupportedEncryptionTypes attribute. In July: enforcement phase removes the RC4DefaultDisablementPhase registry override entirely. Action: Audit service accounts for explicit encryption type attributes before April; to ensure no dependencies on RC4-only authentication.
CVE-2026-0386 — Windows Deployment Services (WDS) — Hands-free deployment hardening. April: disabled by default with a secure-by-default posture, it can be re-enabled via registry settings (with an understanding of the associated security risks). Action: Organizations using WDS for unattended OS deployment should plan for registry overrides or migrate to alternative deployment tooling before April.
CVE-2023-24932 — Windows Secure Boot — As we explained in January, the enforcement phase remains scheduled for “not before January 2026” with at least six months advance notice. When enforced, the Windows Production PCA 2011 certificate will be automatically revoked and added to the Secure Boot UEFI Forbidden List (DBX) on capable devices. This will be programmatic with no option to disable. Action: Verify that managed devices are receiving the updated 2023 certificates through Windows quality updates, and review Microsoft’s Secure Boot playbook.
As a reminder, the Secure Boot certificates issued in 2011 begin expiring this year. Devices that do not receive the updated 2023 certificates might fail to boot securely. We covered this in detail in our January post; admins must verify certificate status on managed devices and install the 2023 CAs before June
Six vulnerabilities are being actively exploited, spanning the Desktop Window Manager, Windows Shell, Remote Desktop Services, Internet Explorer mode, Remote Access, and Microsoft Word. One cumulative update component has been flagged as high risk, affecting Secure Boot and system power state transitions. And Microsoft has introduced a functional change to LDAP that restricts unauthenticated queries on Windows Server 2025.
Organizations should prioritize patching for the actively exploited vulnerabilities and validate power management changes before broad deployment.
Secure Boot and Power Management (High Risk)
Updates to the Secure Kernel and SecureBootAI components have been flagged as high risk by Microsoft. These changes affect how Windows handles power state transitions on Windows 11 23H2 and Windows 10 22H2 systems. Given the potential for boot and resume failures, thorough testing is essential before rolling out to production:
Initiate system shutdown using the Start menu and verify the system fully powers off; leave powered down for at least five minutes before restarting
Initiate system shutdown via command line (shutdown /s /t 0) and verify full power-off
Test system hibernation and confirm it resumes to the same state after at least five minutes, with previously open windows and applications restored
Test system sleep and wake, confirming the system returns to its prior state
Verify BitLocker-protected devices boot without recovery key prompts after applying the update
Windows Shell and Internet Explorer (actively exploited)
Two actively exploited security feature bypass flaws affect the Windows Shell and Internet Explorer MSHTML platform this month. The Shell vulnerability (CVE-2026-21510) carries a CVSS score of 8.8 and could allow an attacker to bypass security restrictions. The Internet Explorer vulnerability (CVE-2026-21513), also scored at 8.8, affects the MSHTML rendering engine that remains active in Windows — even when IE is not the default browser — including IE mode in Microsoft Edge:
Verify that Mark of the Web warnings appear correctly when opening files downloaded from the internet.
Test SmartScreen protection for downloaded executables and scripts.
If IE mode is enabled in Microsoft Edge, test that enterprise intranet sites load correctly and security zone restrictions are enforced.
Verify that UAC prompts and security dialogs display properly when executing downloaded content.
Remote Desktop and Remote Access (actively exploited)
Windows Remote Desktop Services and the Remote Access Connection Manager each received patches for actively exploited vulnerabilities. The Remote Desktop vulnerability (CVE-2026-21533) is an elevation of privilege issue scored at 7.8, while the Remote Access Connection Manager vulnerability (CVE-2026-21525) is a denial of service issue scored at 6.2.
Organizations that rely on RDP for administration or remote work should prioritize testing:
Test Remote Desktop connections to both server and client machines, verifying session establishment, credential handling, and session disconnect and reconnect.
Verify that Remote Desktop Gateway connections function correctly if used in your environment.
Test VPN and DirectAccess connections through the Remote Access Connection Manager.
Validate that remote access services remain stable under sustained connection load.
Networking and connectivity
Several core networking components received updates, including the Ancillary Function Driver (afd.sys), Connected Devices Platform (cdpsvc.dll), HTTP protocol stack (http.sys), and WLAN service (wlansvc.dll). None are flagged as high risk, but the breadth of changes across network subsystems warrants attention from enterprise teams managing diverse connectivity scenarios:
Send and receive packets over the network, including large file transfers over IPv6.
Test network connectivity through web browsing, messaging programs such as Microsoft Teams, and file upload and download.
Validate Nearby sharing and VPN connectivity, ensuring file transfers complete successfully.
Test web services that send responses with trailing headers under both normal and high-load conditions; look for response corruption, missing trailers, or unexpected connection drops.
Run WinHTTP and HTTP.sys QUIC client tests to verify SSL certificate handling.
Test Wi-Fi connectivity including enterprise and private networks, network discovery, automatic reconnection, and roaming behavior.
Validate Wi-Fi power management scenarios such as sleep during active connection, confirming connectivity resumes after wake.
Virtualization
Hyper-V core components (computecore.dll, vmcompute.dll, vmwp.exe) and the hypervisor binaries (hvax64.exe, hvix64.exe) have both been updated. These affect virtual machine lifecycle operations across Windows 11 24H2/25H2 and all server editions:
Enable the Hyper-V role and create a virtual machine.
Validate VM lifecycle operations: start, shutdown, reboot, pause, resume, save, and restore.
Test VM export and import scenarios.
Verify that existing VMs start and operate correctly after applying the update.
Graphics and DirectComposition
The Desktop Window Manager core (dwmcore.dll) received updates affecting visual composition on Windows 11 24H2/25H2 and Windows 10 1607. This includes a patch for an actively exploited elevation of privilege vulnerability (CVE-2026-21519) scored at 7.8, alongside updates to the GDI+ and Graphics Component. Applications using the Microsoft DirectComposition API should be validated:
Test applications that use the Microsoft DirectComposition API.
Verify that desktop animations, transparency effects, and window transitions render correctly.
Test multi-monitor configurations with different DPI scaling.
Server components
Several server-specific components received updates. Most notably, a functional change to the LDAP client library (wldap32.dll) on Server 2025 now restricts the number of values returned in a multi-value property during unauthenticated LDAP searches to 10,000 values. This is the only behavioral change in this release. Authenticated connections are not affected, but organizations with directory synchronization workflows should validate:
LDAP (Server 2025): Confirm that directory synchronization for groups exceeding 10,000 users succeeds over authenticated connections and is correctly restricted over unauthenticated connections.
System Events: Open a PowerShell window without admin privileges and run Get-WinEvent -ListLog “Microsoft-Windows-Kernel-ShimEngine/Operational” to confirm an insufficient permissions error appears.
Microsoft Office applications
Microsoft released security updates for Excel 2016 (KB5002837), Word 2016 (KB5002839), and Office 2016 (KB5002713), alongside updates for SharePoint Server 2016, 2019, Subscription Edition, and Office Online Server. The Word update addresses an actively exploited security feature bypass vulnerability (CVE-2026-21514) scored at 7.8. An Outlook vulnerability (CVE-2026-21511) rated as “exploitation more likely” was also patched. These updates are for MSI-based installations only and will not apply to Click-to-Run deployments such as Microsoft 365.
Open and edit complex Excel workbooks with formulas, macros, and external data connections.
Test Word document formatting, embedded objects, and mail merge scenarios.
Validate SharePoint document library operations, co-authoring, and workflow execution.
Verify that Office add-ins continue to function after applying updates.
Test Outlook email rendering, attachment handling, and security prompts when opening messages with embedded content.
Microsoft .NET Framework
February’s release includes updated SDK and runtime packages for .NET 8.0 (8.0.418), .NET 9.0 (9.0.114 and 9.0.311), and .NET 10.0 (10.0.103), available in both x64 and x86 variants. No application rebuilds or configuration changes are expected.
Confirm that existing .NET applications start and execute correctly after installing the update.
Test runtime initialization, common framework functionality including file I/O, networking, cryptography, and threading.
Validate ASP.NET Core workloads where applicable.
Test COSE message signature verification scenarios if your applications use the CoseMessage.DecodeSign1 method.
With six vulnerabilities actively exploited, patching urgency is high despite the lighter overall volume. Prioritize the Windows Shell, Internet Explorer/MSHTML, Remote Desktop, Remote Access, Desktop Window Manager, and Word patches first. Organizations using IE mode in Edge or relying on RDP for remote access should treat these as critical.
The Secure Boot and power management changes are flagged as high risk by Microsoft and should be validated next, as boot and power state failures can render devices unusable. The LDAP functional change on Server 2025 is the only behavioral change this month and could impact directory synchronization workflows that rely on unauthenticated queries returning large result sets. Server administrators should verify that their synchronization pipelines remain functional after patching.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Browsers (Microsoft IE and Edge)
Microsoft Windows (both desktop and server)
Microsoft Office
Microsoft Developer Tools (Visual Studio and .NET)
Adobe (if you get this far)
Microsoft Windows
None of this month’s five Critical-rated CVEs affect Windows directly — all target Azure services. However, five of the six actively exploited zero-days are Windows components:
CVE-2026-21510 — Windows Shell — Security feature bypass (CVSS 8.8); circumvents SmartScreen and Shell warnings via malicious link or shortcut file. Publicly disclosed and actively exploited.
CVE-2026-21513 — MSHTML Framework — Security feature bypass (CVSS 8.8); the MSHTML rendering engine remains active in Windows, even when IE is not the default browser, including through IE mode in Edge. Publicly disclosed and actively exploited.
CVE-2026-21519 — Desktop Window Manager — Elevation of privilege (CVSS 7.8); type confusion allowing SYSTEM escalation. Actively exploited.
CVE-2026-21533 — Windows Remote Desktop Services — Elevation of privilege (CVSS 7.8); improper privilege management allowing SYSTEM escalation. Actively exploited.
CVE-2026-21525 — Windows Remote Access Connection Manager — Denial of service (CVSS 6.2); null pointer dereference. Actively exploited.
CISA has added all six actively exploited vulnerabilities to the Known Exploited Vulnerabilities catalog with an enforcement deadline of March 3. Additional Windows components receiving updates include the Ancillary Function Driver (afd.sys), HTTP protocol stack (http.sys), Hyper-V, Secure Boot, LDAP, and GDI+ — none critical or actively exploited, but the breadth of changes warrants testing before broad deployment.
With actively exploited vulnerabilities and a CISA deadline of March 3, this is a Patch Now release for Windows; confirmed in-the-wild exploitation across Shell, MSHTML, DWM, Remote Desktop, and Remote Access leaves little room for delay.
Microsoft Office
Microsoft released security updates for Word 2016 (KB5002839), Excel 2016 (KB5002837), and Office 2016 (KB5002713), alongside updates for SharePoint Server 2016, 2019, Subscription Edition, and Office Online Server. These updates apply to MSI-based installations only and don’t apply to Click-to-Run deployments such as Microsoft 365:
CVE-2026-21514 — Microsoft Word — Security feature bypass (CVSS 7.8) is the sixth actively exploited zero-day in this release. It requires a user to open a malicious Office document; the Preview Pane is not an attack vector. The CISA KEV enforcement deadline is March 3.
CVE-2026-21511 — Microsoft Outlook — Spoofing vulnerability (CVSS 7.5) resulting from untrusted data deserialization via crafted email. Rated “Exploitation More Likely” by Microsoft.
Combined with the emergency out-of-band patch for CVE-2026-21509 (covered in Major Revisions above), Office has seen two actively exploited vulnerabilities in a single cycle. This is a Patch Now release for Office. Organizations running MSI-based Office 2016 or 2019 should ensure both the February cumulative updates and the Jan. 26 out-of-band update have been applied.
Microsoft Edge and Chromium
Microsoft Edge 144.0.3719.115, released Feb. 5, incorporates the latest upstream Chromium security fixes. As of Feb. 11, Microsoft has confirmed awareness of additional Chromium fixes and is actively working on a further Edge security release. On the Chromium side, Google shipped Chrome 145 on Feb. 10, addressing 11 security vulnerabilities:
CVE-2026-2313 — Chromium CSS — Use-after-free (High severity).
CVE-2026-2314 — Chromium Codecs — Heap buffer overflow (High severity).
CVE-2026-2315 — WebGPU — Inappropriate implementation (High severity).
The remaining eight fixes address medium and low severity issues across Frames, Animation, PictureInPicture, DevTools, File input, Ozone, and Downloads. These Chromium fixes will flow into a future Edge stable release. Enterprise teams managing Edge deployments can track updates via the Edge Security Release Notes.
Developer tools
A single security vulnerability was addressed across .NET 8.0, .NET 9.0, and .NET 10.0:
CVE-2026-21218 — .NET Runtime — Security feature bypass (CVSS 7.5). Updated runtime and SDK packages: .NET 8.0.24, .NET 9.0.13, and .NET 10.0.3, available in both x64 and x86 variants.
Microsoft .NET Framework received no updates this month, and no application rebuilds or configuration changes are expected. Add these updates to your standard deployment schedule.
Adobe and third-party updates
February is a welcome reprieve from the (patching) challenges of January — a clean month for known issues, half the CVE volume, and no critical Windows vulnerabilities.
That said, six actively exploited zero-days and an emergency OOB Office patch between cycles is hardly an easy life for IT administrators. With the Secure Boot and power management changes flagged as high risk, and printing and Win32 rendering components targeted for future updates, enterprise teams would be wise to keep their out-of-band response playbooks close at hand over the coming weeks.Microsoft’s Patch Tuesday updates: Keeping up with the latest fixes – ComputerworldRead More