Microsoft patch Tuesday fixes multiple zero-days and dozens of flaws

Microsoft issued its February 2026 Patch Tuesday security updates on February 10, closing multiple actively exploited zero-day vulnerabilities and dozens of other flaws across Windows, Office, Azure services and developer tools. Security advisories and vendor analyses place the total number of patched issues between 54 and 61 CVEs, a discrepancy that highlights differing counting methods among trackers.

Vendor tallies diverge: one advisory summarized the release as "fixing a total of 58 vulnerabilities across Windows, Microsoft Office, and core system components," while another research team wrote that "Microsoft addresses 54 CVEs in the February 2026 Patch Tuesday released, including six zero-day vulnerabilities that were exploited in the wild and three publicly disclosed CVEs." A separate vendor blog put the total at 61 vulnerabilities and said "this month’s release addresses 61 vulnerabilities, including five critical and 52 important-severity vulnerabilities." One explicit reconciliation is Tenable's note: "We omitted one vulnerability from our counts this month, CVE-2023-2804, a heap based overflow vulnerability in the libjpeg-turbo component." Differences may also reflect whether previously released Edge fixes or third-party component CVEs are included.

Across these assessments, security researchers agree that six zero-day vulnerabilities that were exploited in the wild were patched, and that three of those had been publicly disclosed before the update. Among the zero-days explicitly named in vendor writeups are CVE-2026-21519, CVE-2026-21525 and CVE-2026-21533. CVE-2026-21519 is described as "a Desktop Window Manager elevation of privilege vulnerability that could allow attackers to gain SYSTEM-level access." CVE-2026-21525 is a Windows Remote Access Connection Manager denial of service flaw caused by a null pointer dereference, and was reported by the 0patch research team. CVE-2026-21533 is an elevation of privilege vulnerability in Windows Remote Desktop Services discovered by the Advanced Research Team at CrowdStrike.

Security summaries of the Patch Tuesday release emphasize the prominence of privilege escalation flaws. One analysis highlighted that "elevation of privilege issues once again dominate the update, accounting for nearly half of all vulnerabilities addressed this month" and provided a categorical breakdown that included 3 denial of service flaws, 5 security feature bypasses, 6 information disclosure bugs, 7 spoofing issues, 12 remote code execution vulnerabilities and 25 elevation of privilege vulnerabilities.

The updates also included multiple critical issues affecting cloud and container services. Noted critical CVEs across the advisories include CVE-2026-24302 (Azure Arc elevation of privilege), CVE-2026-23655 (Microsoft ACI Confidential Containers information disclosure), CVE-2026-21522 (ACI Confidential Containers elevation of privilege), CVE-2026-24300 (Azure Front Door elevation of privilege) and CVE-2026-21532 (Azure Function information disclosure).

Security teams and vendors framed the release as urgent for administrators and end users. A LinkedIn post tied to the advisories stressed the point: "six actively exploited zero-day vulnerabilities—three of which were publicly disclosed prior to today—underscoring continued pressure on enterprises and consumers to apply security updates promptly."

Enterprises should consult Microsoft's Security Update Guide and vendor advisories to reconcile counts and obtain the complete, authoritative list of CVE identifiers and severity ratings. Reporters and administrators seeking clarity are advised to request Microsoft's official tally and confirmation of which CVEs are included in the Patch Tuesday bulletin, including whether third-party component fixes were counted.