Brijesh Desai 
Microsoft February 2026 Patch Tuesday addresses 58 flaws including 6 actively exploited zero-days across Windows, Office, Azure. Critical RCEs, EoPs demand immediate patching.
Microsoft February 2026 Patch Tuesday landed with urgency, tackling 58 vulnerabilities including six zero-days already weaponized by attackers worldwide. Three flaws were publicly known before patching; the other three were stealthily exploited in the wild.
Zero-Day Breakdown
CVE-2026-21391Â – Windows Storage Elevation of Privilege (CVSS 7.1)
Local attackers escalate privileges, delete protected files, crash services. Chained with phishing campaigns globally.
CVE-2026-21377Â – NTLM Hash Disclosure (CVSS 6.5)
Malicious files trigger credential harvesting via right-click context menus. Affects MSHTML/EdgeHTML components.
CVE-2026-20805Â – Desktop Window Manager Info Leak
Memory contents exposed for privilege escalation chains. Windows 11 24H2 heavily targeted.
Three additional unspecified zero-days: public disclosures plus active exploitation confirmed by Microsoft.
Critical RCE Vulnerabilities
CVE-2026-21376Â – Windows LDAP Remote Code Execution (CVSS 8.1)
Unauthenticated network attackers trigger buffer overflow via race condition. Domain controllers most at risk.
Excel Exploit Chain (6 CVEs)
Memory corruption via malicious spreadsheets. Office 365, perpetual licenses, all versions affected.
Vulnerability Distribution
| Severity | Count | Key Examples |
|---|---|---|
| Critical | 5 | LDAP RCE (CVE-2026-21376) |
| Elevation of Privilege | 28 | Storage zero-day |
| Remote Code Execution | 12 | Excel chain |
| Information Disclosure | 10 | DWM zero-day |
| Denial of Service | 5 | Kernel flaws |
Deployment Priority
Immediate (24 hours):
- Domain controllers
- WSUS/SCCM servers
- Public-facing Exchange/Azure AD Connect
- Zero-day affected systems
High (72 hours):
- Windows 11/10 endpoint fleets
- Office 365 environments
- Hyper-V hosts
Routine (7 days):
- Server 2016-2025
- VDI golden images
- Printers/scanners
Active Exploitation Context
State-sponsored groups chained Storage EoP with phishing for initial access. Ransomware operators weaponize Excel flaws for lateral movement. NTLM leaks fuel pass-the-hash attacks across enterprise networks.
Qualys, Rapid7, Tenable scanners updated with detection rules. EDR solutions flag anomalous LDAP queries, Storage service failures, memory scraping attempts.
Technical Implementation
Windows Updates:
Windows 11 24H2: KB5034765 (Build 26100.2890) Windows 10 22H2: KB5034763 (Build 19045.3895) Server 2025: KB5034768
Office Updates:
- Current Channel: Version 2412 (Build 18329.20230)
- Monthly Enterprise: 2311 Build 17029.20218
Azure/Defender:Â Auto-remediation available for managed instances.
Testing & Rollback
Qualys QIDs live for vulnerability scanning. BeyondTrust validates no post-patch privilege escalation. Windows restore points created automatically. Office maintains January CU as fallback.
Microsoft security teams confirm clean patches—no BlueKeep-style regressions detected in canary deployments.
Strategic Implications
Six zero-days signal elevated threat landscape entering 2026. LDAP RCE severity rivals PrintNightmare; coordinated patching prevents widespread compromise. Enterprises should accelerate patch automation while maintaining rigorous testing.
Patch Tuesday February 2026 demands swift execution across all environments. Six zero-days under active fire leave no room for deployment delays.