Skip to main content
Mallory

Actively exploited Microsoft zero-days patched in February security updates

actively-exploited-vulnerabilitywidely-deployed-product-advisoryendpoint-software-vulnerabilityinitial-access-methoddefense-evasion-method
Updated March 21, 2026 at 02:34 PM3 sources
Share:
Actively exploited Microsoft zero-days patched in February security updates

Get Ahead of Threats Like This

Know if you're exposed. Before adversaries strike.

Microsoft disclosed and patched multiple actively exploited vulnerabilities as part of its February security updates, including a Microsoft Word security feature bypass tracked as CVE-2026-21514. The Word flaw (CVSS 7.8; CWE-807) allows attackers to bypass Object Linking and Embedding (OLE)-related mitigations by abusing how Word makes security decisions based on untrusted inputs; exploitation is described as requiring a crafted document and user interaction (e.g., opening a phishing-delivered file) while avoiding typical prompts such as Protected View or “Enable Content” warnings.

Microsoft also addressed an in-the-wild exploited Windows Desktop Window Manager (dwm.exe) elevation-of-privilege vulnerability, CVE-2026-21519 (CVSS 7.8), which can allow a local attacker to escalate from a standard user context to SYSTEM. The February update review also lists additional exploited issues patched in the same release, including security feature bypasses in Windows Shell (CVE-2026-21510) and Internet Explorer (CVE-2026-21513), plus other exploited vulnerabilities (e.g., Windows Remote Desktop Services EoP CVE-2026-21533), underscoring that defenders should prioritize rapid deployment of the February fixes across affected Windows and Office estates.

Timeline

  1. Mar 3, 2026

    CISA sets federal patch deadline for Word zero-day

    CISA set a 2026-03-03 deadline for U.S. federal civilian agencies to remediate CVE-2026-21514 after it was disclosed as actively exploited. The directive elevated urgency around patching the Microsoft Word zero-day.

  2. Feb 10, 2026

    Microsoft patches exploited DWM zero-day CVE-2026-21519 in February updates

    On 2026-02-10, Microsoft addressed CVE-2026-21519 in the February 2026 security update, fixing an actively exploited Windows Desktop Window Manager flaw that could allow local privilege escalation to SYSTEM. The issue affects multiple Windows 10, Windows 11, and Windows Server versions, with no workaround other than patching.

  3. Feb 10, 2026

    Microsoft issues Office fixes for Word zero-day CVE-2026-21514

    Microsoft released Click-to-Run updates for affected Windows and Mac Office products to address CVE-2026-21514, including version 16.106.26020821. The fixes cover multiple Office product lines such as Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024.

  4. Feb 10, 2026

    Microsoft discloses actively exploited Word zero-day CVE-2026-21514

    On 2026-02-10, Microsoft disclosed CVE-2026-21514, a Microsoft Word security feature bypass flaw that abuses untrusted input handling to bypass OLE mitigations for malicious COM/OLE controls. The vulnerability was reported as actively exploited in the wild and can be triggered when a user opens a specially crafted Office document.

  5. Feb 10, 2026

    Microsoft's February 2026 security updates disclose multiple exploited zero-days

    On 2026-02-10, Microsoft's February 2026 security release was reviewed publicly, listing several vulnerabilities as exploited in the wild, including Microsoft Word security feature bypass CVE-2026-21514 and Desktop Window Manager elevation-of-privilege CVE-2026-21519. The release also covered fixes across Windows, Office, Azure, and other Microsoft products.

See the full picture in Mallory

Mallory subscribers get deeper analysis on every story, including:

Impact Assessment

Who’s affected and how

Technical Details

Deep-dive technical analysis

Response Recommendations

Actionable next steps for your team

Indicators of Compromise

IPs, domains, hashes, and more

AI Threads

Ask questions and take action on every story

Advanced Filters

Filter by topic, classification, timeframe

Scheduled Alerts

Get matching stories delivered automatically

Related Entities

Vulnerabilities

Heap-based buffer overflow in libjpeg-turbo merged upsampling (h2v2_merged_upsample_internal) (CVE-2023-2804)Windows Hyper-V Remote Code Execution Vulnerability (CVE-2026-21247)CVE-2026-21512Microsoft Word OLE Security Feature Bypass (CVE-2026-21514)Code injection RCE in Microsoft Defender for Linux (Defender for Endpoint Linux extension) (CVE-2026-21537)Command Injection Privilege Escalation in GitHub Copilot and Visual Studio (CVE-2026-21257)Command Injection RCE in GitHub Copilot and Visual Studio (CVE-2026-21256)CVE-2026-21250Use-After-Free in Windows Ancillary Function Driver for WinSock Local Privilege Escalation (CVE-2026-21241)Privilege Escalation in Windows Connected Devices Platform Service (CVE-2026-21234)Windows Kernel Information Disclosure Vulnerability (CVE-2026-21222)Command Injection in Azure Compute Gallery / Microsoft ACI Confidential Containers (CVE-2026-21522)Desktop Window Manager Type Confusion Elevation of Privilege (CVE-2026-21519)Type Confusion in V8 in Google Chrome (CVE-2026-1862)Heap Buffer Overflow in libvpx in Google Chrome (CVE-2026-1861)Microsoft Edge for Android UI Misrepresentation Spoofing Vulnerability (CVE-2026-0391)Windows Subsystem for Linux Race Condition Privilege Escalation (CVE-2026-21237)Information disclosure in Azure IoT Explorer via unrestricted IP bind (CVE-2026-21528)Spoofing via Deserialization of Untrusted Data in Microsoft Outlook (CVE-2026-21511)Windows Shell SmartScreen and Security Prompt Bypass via Malicious LNK/Link (CVE-2026-21510)Windows Storage Elevation of Privilege Vulnerability (CVE-2026-21508)Windows LDAP Null Pointer Dereference Denial of Service (CVE-2026-21243)Windows Cluster Client Failover Use-After-Free Elevation of Privilege (CVE-2026-21251)Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (CVE-2026-21236).NET System.Security.Cryptography.Cose security feature bypass (missing special element handling) (CVE-2026-21218)Command Injection in GitHub Copilot and Visual Studio Code mcp.json Handling (CVE-2026-21518)Remote Code Execution in Windows Notepad App Markdown Link Handling (CVE-2026-20841)XSS in Azure HDInsights (network spoofing) (CVE-2026-21529)Local privilege escalation via link following in Windows App for Mac (CVE-2026-21517)Windows Graphics Component Use-After-Free Privilege Escalation (CVE-2026-21235)Heap-based Buffer Overflow in Microsoft Graphics Component (CVE-2026-21246)Windows GDI+ Buffer Over-read Denial of Service Vulnerability (CVE-2026-20846)Windows HTTP.sys Elevation of Privilege Vulnerability (CVE-2026-21240)Windows Kernel Heap-Based Buffer Overflow Privilege Escalation (CVE-2026-21245)CVE-2026-24300CVE-2026-24302RCE in Azure Local via improper certificate validation (CVE-2026-21228) (CVE-2026-21228)Windows Remote Access Connection Manager Null Pointer Dereference DoS (CVE-2026-21525)

Organizations

Microsoft CorporationRed Hat

Affected Products

Azure HdinsightWindows NotepadGithub CopilotInternet ExplorerPower BiChromiumWindows KernelAzure Sdk For PythonAzure Front DoorNet

Sources

cyber security news
Microsoft Office Word 0-day Vulnerability Actively Exploited in the Wild
February 11, 2026 at 12:57 PM
cyber security news
Desktop Window Manager 0-Day Vulnerability Allows Attacker to Elevate Privileges
February 11, 2026 at 12:28 PM
zerodayinitiative blog
Zero Day Initiative - The February 2026 Security Update Review
February 10, 2026 at 12:00 AM

Related Stories

Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation

Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation

Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.

1 months ago
Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass

Microsoft Patch Tuesday Fixes Six Actively Exploited Zero-Days Including Windows Shell SmartScreen Bypass

Microsoft released its February Patch Tuesday security updates addressing **~58–59 vulnerabilities** across Windows and other products, including **six zero-day flaws confirmed as actively exploited in the wild** and **five Critical** issues. Reported vulnerability classes were led by **Elevation of Privilege (25)**, followed by **Remote Code Execution (12)** and **Security Feature Bypass (5)**, with additional fixes for spoofing, information disclosure, DoS, and XSS; Microsoft also noted additional *Edge* fixes shipped outside the prior Patch Tuesday cadence, including an Android spoofing issue (`CVE-2026-0391`). One of the actively exploited zero-days highlighted across reporting is `CVE-2026-21510`, a **Windows Shell security feature bypass** that can be abused to evade **Mark-of-the-Web/SmartScreen-style warnings** by using specially crafted files (e.g., shortcut/link formats) so that untrusted content can execute without expected prompts, making it well-suited to phishing and social-engineering delivery. Separate coverage also noted Microsoft’s rollout of **updated Secure Boot certificates** ahead of the June 2026 expiration of legacy 2011 certificates, a change with broad implications for Windows boot integrity and enterprise device management.

1 months ago
Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days

Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days

Microsoft’s January Patch Tuesday security updates addressed **114 vulnerabilities**, including **three zero-days** reported as publicly known and/or exploited. Reported issues span multiple Windows and Microsoft product components, including **Desktop Window Manager (DWM)**, legacy modem drivers, and core OS services, with a mix of **information disclosure**, **elevation of privilege (EoP)**, **security feature bypass**, and **remote code execution (RCE)** flaws. Technical highlights called out include **CVE-2023-31096** (Windows Agere Soft Modem Driver EoP), **CVE-2026-20805** (DWM information disclosure), and a **Secure Boot certificate expiration** security feature bypass (**CVE-2026-21265**). The update set also includes multiple **Office/Excel/Word RCE** vulnerabilities (e.g., **CVE-2026-20952**, **CVE-2026-20953**, **CVE-2026-20955**, **CVE-2026-20957**, **CVE-2026-20944**), Windows privilege-escalation issues (e.g., **Windows Graphics Component** and **VBS Enclave** EoP), and cloud/agent components such as **Azure Connected Machine Agent** (**CVE-2026-21224**) and **Azure Core shared client library for Python** (**CVE-2026-21226**).

1 months ago

Get Ahead of Threats Like This

Mallory continuously monitors global threat intelligence and correlates it with your attack surface. Know if you're exposed. Before adversaries strike.