Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for Windows, Azure, and developer tooling, including several high-impact issues spanning remote code execution (RCE), elevation of privilege (EoP), spoofing, information disclosure, denial of service, and security feature bypass. Notable items include Azure SDK for Python RCE CVE-2026-21531 (CVSS 9.8; deserialization of untrusted data), Windows Shell security feature bypass CVE-2026-21510 (CVSS 8.8; exploitability listed as E:F), GitHub Copilot/Visual Studio/VS Code issues enabling RCE/EoP/feature bypass (CVE-2026-21256, CVE-2026-21523, CVE-2026-21257, CVE-2026-21518), and Azure Local RCE CVE-2026-21228 (CVSS 8.1; improper certificate validation). Additional Windows platform flaws include Desktop Window Manager EoP CVE-2026-21519 (type confusion), HTTP.sys EoP CVE-2026-21232 (untrusted pointer dereference), WinSock Ancillary Function Driver EoP CVE-2026-21238 (improper access control), Windows Storage EoP CVE-2026-21508, WSL EoP CVE-2026-21237, Microsoft Word security feature bypass CVE-2026-21514, Outlook spoofing CVE-2026-21511, Windows LDAP DoS CVE-2026-21243, plus ACI Confidential Containers information disclosure CVE-2026-23655 and Azure IoT Explorer information disclosure CVE-2026-21528.
Separately, a detailed third-party writeup described a Windows Error Reporting Service local privilege escalation, CVE-2026-20817, patched in January 2026, where the WER service (wersvc.dll) running as NT AUTHORITY\SYSTEM allegedly fails to validate requester permissions over ALPC, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as SeDebugPrivilege, SeImpersonatePrivilege, and SeBackupPrivilege). Another third-party report highlighted a long-standing libpng heap buffer issue, CVE-2026-25646 (CVSS 8.3), in png_set_quantize() that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced libjpeg-turbo CVE-2023-2804 (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
Timeline
Feb 11, 2026
HKCERT publishes bulletin on Microsoft's February 2026 security updates
HKCERT issued a security bulletin covering Microsoft's February 2026 monthly security update. The bulletin reflected and redistributed Microsoft's published vulnerability information for the month.
Feb 10, 2026
Microsoft discloses Windows Remote Desktop Services EoP flaw CVE-2026-21533
A Security Update Guide advisory for CVE-2026-21533 identified an elevation of privilege vulnerability in Windows Remote Desktop Services. This appeared as part of Microsoft's February 2026 vulnerability disclosures.
Feb 10, 2026
Microsoft publishes February 2026 Security Update Guide entries
Microsoft released Security Update Guide advisories for multiple February 2026 vulnerabilities across Windows, Office, .NET, Azure, GitHub Copilot, Visual Studio, and other products. The disclosed issues included remote code execution, elevation of privilege, spoofing, information disclosure, denial of service, and security feature bypass flaws such as CVE-2026-21519, CVE-2026-21511, CVE-2026-21523, and CVE-2026-21228.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
5 more from sources like msrc security advisories
Related Stories
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
1 months ago
Microsoft Discloses Multiple Critical Cloud and AI Service Vulnerabilities
Microsoft published several **critical** security advisories affecting cloud and AI services, including **Azure Cloud Shell**, **Azure DevOps**, **Azure Data Factory**, **Microsoft Copilot**, **M365 Copilot**, **Microsoft 365 Copilot BizChat**, **Microsoft Bing**, and **Bing Images**. The issues span **elevation of privilege**, **information disclosure**, **tampering**, and **remote code execution**, with listed weakness classes including **SSRF** (`CWE-918`), **insufficiently protected credentials** (`CWE-522`), **sensitive information exposure** (`CWE-200`), and **command injection** (`CWE-77`/`CWE-78`). Several advisories state that the vulnerabilities **require no customer action to resolve**, indicating Microsoft-managed remediation for affected online services. The most severe disclosures include **CVE-2026-32169** in *Azure Cloud Shell* with a **CVSS 10.0** elevation-of-privilege rating, **CVE-2026-32191** in *Microsoft Bing Images* with a **CVSS 9.8** remote code execution rating, and high-impact flaws in *Azure DevOps* (**CVE-2026-23658**), *Azure Data Factory* (**CVE-2026-23659**), and *Microsoft 365 Copilot BizChat* (**CVE-2026-26137**). Separate advisories also cover information disclosure in *Microsoft Copilot* (**CVE-2026-26136**) and *M365 Copilot* (**CVE-2026-24299**), plus a tampering flaw in *Microsoft Bing* (**CVE-2026-26120**). A separate report on the **RegPwn** Windows Registry privilege-escalation bug (**CVE-2026-24291**) describes a different issue in Windows accessibility and Secure Desktop handling and is not part of the same Microsoft cloud-service disclosure set.
1 weeks ago
Microsoft March 2026 Patch Tuesday Vulnerabilities Across SharePoint, Office/Excel, Windows Drivers, and GDI
Microsoft published security advisories for multiple **Important** and **Critical** vulnerabilities affecting *SharePoint Server*, *Microsoft Office/Excel*, Windows components, and *GDI*. The highest-impact server-side issue is **CVE-2026-26114**, a *SharePoint Server* **remote code execution** flaw attributed to **CWE-502 (deserialization of untrusted data)** with a CVSS v3.1 vector `AV:N/AC:L/PR:L/UI:N` (base score shown as 8.8), indicating network reachability with low complexity and requiring low privileges. Microsoft also disclosed **CVE-2026-26105**, a *SharePoint Server* **spoofing** issue mapped to **CWE-79 (XSS)** with `AV:N/AC:L/PR:N/UI:R` (base score shown as 8.1), implying remote exploitation that requires user interaction. On the endpoint/application side, Microsoft listed several *Office/Excel* **remote code execution** vulnerabilities: **CVE-2026-26109** (Excel RCE; **CWE-125 out-of-bounds read**; vector `AV:L/AC:L/PR:N/UI:N`, base score shown as 8.4), **CVE-2026-26108** (Excel RCE; **CWE-122 heap-based buffer overflow**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8), and **CVE-2026-26112** (Excel RCE; **CWE-822 untrusted pointer dereference**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8). Microsoft also published **CVE-2026-26113**, a **Critical** *Microsoft Office* RCE (also **CWE-822**) with `AV:L/AC:L/PR:N/UI:N` (base score shown as 8.4); one reference is a duplicate advisory page for the same CVE. Additional component advisories include **CVE-2026-24288** (Windows Mobile Broadband Driver RCE; **CWE-122**; `AV:P/AC:L/PR:N/UI:N`, base score shown as 6.8, requiring physical access) and **CVE-2026-25190** (GDI RCE; **CWE-426 untrusted search path**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8).
1 months ago