Overview
Microsoft has released security updates addressing multiple vulnerabilities as part of the February 2026 Patch Tuesday. Six of these vulnerabilities are zero-days and have been reported as actively exploited in the wild.
CVE-2026-21510 – Windows Shell Security Feature Bypass CVSS v3: 8.8 (High)
A protection mechanism failure in Windows Shell allows an unauthorised attacker to bypass security features over a network. Exploitation may involve specially crafted shortcut or link files to evade built-in protections.
Affected Versions: All supported Windows 10 and Windows 11 releases.
CVE-2026-21513 – MSHTML Framework Security Feature Bypass CVSS v3: 8.8 (High)
A weakness in the MSHTML (Trident) engine — the component Windows uses to display certain web content — could allow an attacker to bypass built-in security protections. If a user is tricked into opening a specially crafted webpage or HTML file (for example, via a malicious email attachment or link), the attacker may be able to run content without normal security warnings appearing.
Affected Versions: All supported Windows versions containing the MSHTML component.
CVE-2026-21514 – Microsoft Word Security Feature Bypass CVSS v3: 7.8 (High)
A flaw in Microsoft Word could allow security checks to be bypassed when opening a specially crafted document. If a user opens a malicious Office file, protections designed to block unsafe content may not function as expected.
Affected Versions: Microsoft 365 Apps for Enterprise and supported Office/Word versions (as of February 2026).
CVE-2026-21519 – Desktop Window Manager Elevation of Privilege CVSS v3: 7.8 (High)
A vulnerability in a core Windows component could allow an attacker who already has access to a device to gain higher system-level privileges. This could give them full control over the affected system.
Affected Versions: Supported Windows 10 and Windows 11 releases.
CVE-2026-21525 – Windows Remote Access Connection Manager Denial of Service CVSS v3: 7.8 (High)
A flaw in the Windows service that manages remote and VPN connections could allow a local attacker to crash the service. This may disrupt remote connectivity until the system or service is restarted.
Affected Versions: Supported Windows releases with the RasMan service enabled.
CVE-2026-21533 – Windows Remote Desktop Services Elevation of Privilege CVSS v3: 7.8 (High)
A weakness in Remote Desktop Services could allow a user with existing access to a system to gain higher privileges. This could enable them to perform administrative actions they would not normally be permitted to carry out.
Affected Versions: Supported Windows systems with Remote Desktop Services enabled.
Apple has released updates for all of its operating systems (iOS, iPadOS, macOS, tvOS, watchOS, and visionOS). The updates fix 71 distinct vulnerabilities which may affect multiple of the OSs noted above. The following vulnerability has been noted as having been exploited in targeted attacks.
CVE-2026-20700 – Apple (Multiple OSs) Memory Corruption Arbitrary Code Execution CVSS v3: 7.8 (High)
A memory corruption issue was addressed in several Apple Operating Systems. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in a sophisticated attack against targeted individuals.
Affected Versions: All versions up to 26.2 on iPadOS, iPhoneOS, MacOS, tvOS, visionOS and watchOS
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Microsoft – Release Notes (February 2026)
Apple – Security Releases (February 2026)
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.