“While February was a smaller month in terms of the number of CVEs patched at 54, it was extremely busy, with Microsoft patching six zero-day vulnerabilities. Of the six zero days disclosed this month, five were exploited in the wild and three were publicly disclosed ahead of a patch being available.
“CVE-2026-21510 is a security feature bypass in Microsoft’s Windows Shell, which is the formal name for the graphical user interface (GUI) for the Windows operating system, from the desktop to the start menu and other GUI components. It means an attacker can bypass things like the security warnings that would normally cause a user to think twice about opening a file. It requires the attacker to trick a potential victim into opening a link (.lnk) or shortcut file. Not only was this exploited in the wild, Microsoft says it was publicly disclosed, possibly in a blog or in a social media post, though we weren’t able to find one at the time of publication. This matters because it means vulnerability details are already accessible to attackers.
“CVE-2026-21513 and CVE-2026-21514 are two additional security feature bypasses affecting MSHTML (a browser rendering engine known as Trident) and Microsoft Word respectively. They bear a lot of similarities to CVE-2026-21510, but the difference is that CVE-2026-21513 can also be exploited using an HTML file, while CVE-2026-21514 can only be exploited using a Microsoft Office file.
“Security features operate as gatekeepers like Heimdall protecting Asgard, protecting users from opening malicious files. Users have grown accustomed to receiving these alerts, so when vulnerabilities can bypass those protection mechanisms, users are more at risk of compromise.
“There were two zero-day elevation of privilege vulnerabilities that were exploited in the wild: one in Windows Remote Desktop Services (CVE-2026-21533) and one in the Desktop Window Manager or DWM (CVE-2026-21519). These are post-compromise vulnerabilities, which are nearly a dime a dozen each year throughout Patch Tuesday. For attackers, it’s almost like searching for treasure. They have to find a means to get to the spot on the proverbial map, like using social engineering or exploiting another vulnerability, but once they get there, they just need to find a way to dig–elevate privileges–before they hit paydirt.” – Satnam Narang, Senior Staff Research Engineer at Tenable