Virtual Administrator’s February 2026 Patch Recommendations
February 2026 Security Updates
February brings 58 vulnerabilities with 5 rated “Critical” in severity. While this month sees fewer security updates overall, 6 are actively exploited zero-day vulnerabilities. This represents a significant shift for this patch cycle.
- CVE-2026-21510 is a security feature bypass vulnerability in Windows Shell. An unauthorized attacker can bypass a security feature over a network if they convince a user to open a malicious link or shortcut file.
- CVE-2026-21513 is a bypass vulnerability in MSHTML Framework. An attacker could exploit this by convincing a user to open a malicious HTML file or shortcut (.lnk) file delivered through a link, email attachment, or download. The specially crafted file manipulates browser and Windows Shell handling, allowing the attacker to bypass security features and potentially achieve code execution.
- CVE-2026-21514 is a security feature bypass in Microsoft Word. An attacker must send a user a malicious Office file and convince them to open it to bypass a security feature locally.
- CVE-2026-21519 is an elevation of privilege vulnerability in the Desktop Window Manager. An authorized attacker can exploit this locally to gain SYSTEM privileges through a type confusion flaw.
- CVE-2026-21533 is an elevation of privilege vulnerability in Windows Remote Desktop Services. An authorized attacker can exploit this locally to escalate user privileges to SYSTEM level access.
- CVE-2026-21525 is a denial-of-service vulnerability in the Windows Remote Access Connection Manager. An unauthorized attacker can cause service denial locally through a null pointer dereference.
A new Servicing Stack Update has been released for Windows 10 1607 and Server 2016. Windows 11 26H1 has also been released as a targeted release for specific new device innovations in 2026 and will not affect most environments. See “FYI” section below for details.
Disclosed: CVE-2026-21510, CVE-2026-21513, CVE-2026-21514
Exploited: CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, CVE-2026-21533
Security Update Guide
https://msrc.microsoft.com/update-guide/en-us
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published: 11/13/2018 | Last Updated: 2/10/2026)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.
FYI: Windows 11 26H1 Released
“Windows 11, version 26H1 is not a feature update for version 25H2.”
What to know about Windows 11, version 26H1
Windows 11, version 26H1 is a targeted release that supports new device innovations coming in 2026. This release is not being made available through broad channels but is only intended for those who purchase these new devices. At this time, devices with Qualcomm Snapdragon® X2 Series processors will come with Windows 11, version 26H1.
Known Issues
No new known issues reported by Microsoft. Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Out-of-Band Fixes Released January 24 (Server and Workstation)
[File System] Fixed: After installing the Windows update released on and after January 13, 2026, some applications became unresponsive or encountered unexpected errors when opening files from or saving files to cloud-based storage, such as OneDrive or Dropbox. In certain Outlook configurations that store PST files on OneDrive, Outlook may hang and fail to reopen unless the process is terminated or the system is restarted. Users may also see missing sent items or previously downloaded emails being re-downloaded.
Out-of-Band Fixes Released January 17 (Server and Workstation)
[Remote Desktop] Fixed: After installing the January 2026 Windows security update, some users experienced sign-in failures during Remote Desktop connections. This issue affected authentication steps for different Remote Desktop applications on Windows such as the Windows App.
Out-of-Band Fixes Released January 17 (Workstation Only)
[Power & Battery] Fixed: Some devices with Secure Launch enabled restart instead of shutting down or entering hibernation.
Good resource for known issues with Windows 10/11/Server patches. Find the version and click on “Known issues”.
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5075970 – Windows Server 2012 R2 (ESU)
- KB5075971 – Windows Server 2012 (ESU)
Cumulative Updates
Windows 10
- KB5075912 – Version 21H2 “November 2021 Update” (OS Build 19044) (ESU)
- KB5075912 – Version 22H2 “November 2022 Update” (OS Build 19045) (ESU)
(Versions 1507,1511,1607,1703,1709,1803,1809,1903,1909,2004,20H2,21H1 are no longer under support)
Windows 11
- KB5075941 – 23H2 (OS Build 22631)
- KB5077181 – 24H2 (OS Build 26100)
- KB5077181 – 25H2 (OS Build 26200)
- KB5077179 – 26H1 (OS Build 28000)
(Version 21H2,22H2 are no longer under support)
Windows Server
- KB5075999 – Server 2016 (EOS January 2027)
- KB5075904 – Server 2019 (EOS January 2029)
- KB5075906 – Server 2022 (OS Build 20348)
- KB5075897 – Server 23H2 (OS Build 25398)
- KB5075899 – Server 2025 (OS Build 26100)
February 2026 updates for Microsoft Office
Notable CVEs
CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21510
Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.
To successfully exploit this vulnerability, an attacker must convince a user to open a malicious link or shortcut file.
CVE-2026-21513 | MSHTML Framework Security Feature Bypass Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21513
Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
An attacker could exploit this vulnerability by convincing a user to open a malicious HTML file or shortcut (.lnk) file delivered through a link, email attachment, or download. The specially crafted file manipulates browser and Windows Shell handling, causing the content to be executed by the operating system. This allows the attacker to bypass security features and potentially achieve code execution.
CVE-2026-21514 | Microsoft Word Security Feature Bypass Vulnerability (Click to Run)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21514
Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.
An attacker must send a user a malicious Office file and convince them to open it.
CVE-2026-21519 | Desktop Window Manager Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21519
Access of resource using incompatible type (‘type confusion’) in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-21525 | Windows Remote Access Connection Manager Denial of Service Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525
Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally.
CVE-2026-21533 | Windows Remote Desktop Services Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-21533
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
