February's Patch Tuesday is lighter on total volume — 55 vulnerabilities, roughly half of January's count — but the severity is extraordinary. Six vulnerabilities are confirmed as actively exploited in the wild, making this the highest zero-day count in a single Patch Tuesday release in recent memory. Security researchers at Trend Micro's Zero Day Initiative noted this is "extraordinarily high" and questioned whether 2026 is heading toward another "hot exploit summer."
The Six Zero-Days
All six were being exploited before patches were available. Three are security feature bypass vulnerabilities, and three are elevation of privilege or denial of service flaws.
CVE-2026-21510 (CVSS 8.8) — Windows Shell SmartScreen Bypass. A protection mechanism failure allows attackers to circumvent SmartScreen and similar security prompts. The victim only needs to click a malicious link or open a crafted shortcut file. Once triggered, the bypass suppresses the "are you sure?" security dialogs for untrusted content, enabling silent payload delivery. This affects all currently supported versions of Windows.
CVE-2026-21513 — MSHTML/Trident Security Feature Bypass. Targets the MSHTML engine (Internet Explorer's core rendering component, still embedded in Windows). A crafted HTML or .lnk file can silently bypass Windows security prompts and trigger execution. MSHTML continues to be a recurring attack surface despite Internet Explorer's retirement.
CVE-2026-21514 (CVSS 5.5) — Microsoft Word OLE Mitigation Bypass. Bypasses Object Linking and Embedding protections in Word. Requires convincing a user to open a malicious document — a low bar for any phishing campaign. Microsoft released an emergency OOB fix for a similar flaw in late January, and now the same attack surface appears again.
CVE-2026-21519 (CVSS 7.8) — Desktop Window Manager Elevation of Privilege. A type confusion vulnerability in DWM allows local attackers to escalate to SYSTEM privileges. This is the second consecutive month with a DWM zero-day — January's CVE-2026-20805 was also in DWM. Reported by Microsoft Threat Intelligence Center (MSTIC), indicating this is being used in targeted attacks.
CVE-2026-21533 — Remote Desktop Services Elevation of Privilege. Allows attackers to escalate to SYSTEM by modifying a service configuration key. CrowdStrike researchers discovered the exploit binary and noted that threat actors had already been using it in the wild. The exploit modifies a service config key to add a new user to the Administrator group.
CVE-2026-21525 — Windows Remote Access Connection Manager DoS. Discovered by 0patch researchers who found a working exploit in a public malware repository. An unprivileged user can crash the RasMan service, disrupting VPN connectivity for the entire machine.
Deployment Priority
Six zero-days under active exploitation is an emergency. All six should be treated as critical regardless of their official severity rating. Prioritize: (1) the SmartScreen bypass (CVE-2026-21510) because it enables initial access across all Windows versions, (2) the DWM and RDS elevation of privilege flaws because they enable post-compromise privilege escalation, and (3) the Office/MSHTML bypasses because they target the most common phishing attack vector.
If your organization's patch deployment timeline is measured in weeks rather than days, six simultaneously exploited zero-days is the signal to accelerate that timeline.