February 2026 Patch Tuesday
Chris Goettl
Key Takeaways
- Microsoft resolved six zero-day exploits in addition to the January 29th out-of-band (OOB) zero-day exploit. The Windows OS and Microsoft Office are the products affected by the zero-day exploits.
- Multiple issues introduced by the January 2026 cumulative update have been resolved in OOB updates and will be included in the February 2026 Cumulative Updates.
- Microsoft announced a phased NTLM disablement that should be reviewed by all organizations to prepare for the upcoming changes and reduce the risk of operational impacts.
- Adobe has released nine updates resolving 43 CVEs.
February Patch Tuesday includes recent out-of-band updates from Microsoft between January 17th and 29th, including multiple bug fixes and a fix for a zero-day exploit in Microsoft Office. In addition, Microsoft announced the phased disablement of NTLM precede the February 2026 Patch Tuesday release.
For the February Patch Tuesday release, Microsoft has resolved 57 unique CVEs. Six CVEs are flagged as Exploited and three of those are Publicly Disclosed as well. Add the out-of-band (OOB) zero-day and you have a lineup of CVEs that need some attention.
January Out-of-Band Releases
The first OOB release on January 17th resolved a credential prompt failure when attempting remote desktop or remote appliance connections. The second round of OOB updates occurred on January 24th and 26th resolving application crashes in Outlook and OneDrive, and system hibernation/shut down issues. And finally, the third OOB update on January 26th was a zero-day vulnerability CVE-2026-21509, a Microsoft Office Security Feature bypass vulnerability.
Microsoft plans phased NTLM disablement
Microsoft released their plan for the phased disablement of New Technology LAN Manager (NTLM) in the latest operating systems starting now in 2026 and beyond. The NTLM authentication protocol was introduced back in 1993 and has since been superseded by Kerberos protocols, which are far more secure. However, NTLM has remained the fallback when Kerberos is unavailable despite being deprecated and having weak algorithms.
Phase one introduces additional auditing to help identify where NTLM may still be running and changing it out where you can. Starting now, Microsoft recommends using advanced NTLM auditing already available in Server 2025, and Windows 11 24H2 and newer. Phase two begins with major OS updates coming later this year. This update will address the ‘pain points’ or blockers by removing multiple fallback scenarios where Kerberos reverts back to NTLM.
And finally in phase three, NTLM will be disabled by default. The code will still be there, but you will need to explicitly re-enable it if absolutely needed. This three-phase approach will happen quickly, so plan appropriately to replace NTLM in your environment and take a giant security step forward. The ‘NTLM disabled by default’ phase will occur with the next major Server update.
Microsoft’s exploited vulnerability
On January 29th, Microsoft resolved a Security Feature Bypass vulnerability in Microsoft Office (CVE-2026-21509). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker can send a user a malicious Office file and convince them to open the file to exploit the vulnerability. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.
Microsoft resolved an Elevation of Privilege vulnerability in Remote Desktop Services (CVE-2026-21533). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability affects Windows 10 and later editions of the OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.
Microsoft resolved an Elevation of Privilege vulnerability in Desktop Window Manager (CVE-2026-21519). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.
Microsoft resolved a Security Feature Bypass vulnerability in MSHTML Framework (CVE-2026-21513). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could bypass a security feature over a network. The vulnerability affects Windows 10 and later editions of the OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.
Microsoft resolved a Security Feature Bypass vulnerability in Windows Shell (CVE-2026-21510). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 8.8, but it has been confirmed to be exploited in the wild. An attacker who successfully exploited this vulnerability could bypass a security feature over a network. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.
Microsoft resolved an Security Feature Bypass vulnerability in Microsoft Word (CVE-2026-21514). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but it has been confirmed to be exploited in the wild. An attacker can bypass a security feature locally due to a reliance on untrusted inputs. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.
Microsoft resolved a Denial of Service vulnerability in Windows Remote Access Connection Manager (CVE-2026-21525). The vulnerability is rated Moderate by Microsoft and has a CVSS v3.1 score of 6.2, but it has been confirmed to be exploited in the wild. A null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally. The vulnerability affects all currently supported and ESU supported versions of Windows OS. A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned.
Ivanti security advisories
Ivanti has released one security update for February. The update affects Ivanti Endpoint Manager and resolves two new CVEs and 11 medium severity CVEs that were disclosed in late 2025. More details and information about mitigations can be found in the February Security Advisory.
In addition, there was a security advisory on January 29th for Ivanti Endpoint Manager Mobile (EPMM) that had a limited number of customers impacted at time of disclosure. Ivanti urges all customers using the on-prem EPMM product to promptly install the Security Update. The security advisory, additional technical analysis, and an Exploitation Detection script co-developed with NCSC-NL can be found in the January Security Advisory.
Third-party vulnerabilities
Adobe has released nine updates this month resolving 43 CVEs, 27 of which are Critical. All nine updates are rated Priority three by Adobe.
February update to-do list
Windows OS and Microsoft Office updates are priority this month resolving six new and one OOB zero-day exploits.
Review Microsoft phased disablement of NTLM announcement and documentation to start planning for the deprecation and disablement of NTLM.
