Six Zero-Days in One Patch Tuesday
Microsoft's February 2026 Patch Tuesday is one of the most critical in recent memory, addressing approximately 60 vulnerabilities across Windows, Office, Azure, and other Microsoft products. Among them are six actively exploited zero-days — the highest count of confirmed in-the-wild exploits in a single monthly update since late 2024.
The sheer number of zero-days being exploited simultaneously suggests multiple independent threat actors are actively targeting Microsoft's ecosystem, and the ongoing CISA shutdown means federal coordination for patch verification is severely degraded.
The Six Zero-Days
| CVE | Component | Type | CVSS | Exploitation |
|---|---|---|---|---|
| CVE-2026-21239 | Windows Kernel | Elevation of Privilege | 7.8 | Active |
| CVE-2026-21391 | Windows SmartScreen | Security Feature Bypass | 8.1 | Active |
| CVE-2026-21418 | Microsoft Office | Remote Code Execution | 8.8 | Active |
| CVE-2026-21445 | Windows Print Spooler | Elevation of Privilege | 7.8 | Active |
| CVE-2026-21502 | Windows Hyper-V | Elevation of Privilege | 7.8 | Active |
| CVE-2026-21537 | Windows NTLM | Spoofing | 6.5 | Active |
Critical Vulnerabilities Breakdown
CVE-2026-21239 — Windows Kernel EoP
A privilege escalation vulnerability in the Windows kernel that allows a local attacker to gain SYSTEM privileges from a standard user context. This is the type of vulnerability commonly chained with remote code execution bugs to achieve full system compromise.
CVE-2026-21391 — SmartScreen Bypass
An attacker can craft content that bypasses Windows SmartScreen protections — the system that warns users before running potentially dangerous files downloaded from the internet. This effectively removes a critical safety net for phishing and drive-by download attacks.
CVE-2026-21418 — Office RCE
A remote code execution vulnerability in Microsoft Office that can be triggered by opening a specially crafted document. Combined with the SmartScreen bypass, an attacker could deliver a malicious Office document that runs code without triggering the usual safety warnings.
CVE-2026-21445 — Print Spooler EoP
Another privilege escalation via the Print Spooler service — a component with a long history of security issues (PrintNightmare, etc.). Allows elevation to SYSTEM privileges.
CVE-2026-21502 — Hyper-V EoP
A guest-to-host escape vulnerability in Hyper-V that could allow an attacker running code in a virtual machine to elevate privileges to the host operating system. This is particularly dangerous in cloud and virtualization environments.
CVE-2026-21537 — NTLM Spoofing
An NTLM spoofing vulnerability that allows an attacker to relay authentication credentials. NTLM relay attacks remain one of the most effective techniques for lateral movement in Active Directory environments.
Severity Distribution
| Severity | Count |
|---|---|
| Critical | 8 |
| Important | 47 |
| Moderate | 5 |
| Total | ~60 |
Attack Chains to Watch
Security researchers have identified several dangerous combination attacks enabled by this month's vulnerabilities:
Chain 1: Phishing to Full Compromise
CVE-2026-21391 (SmartScreen Bypass)
→ CVE-2026-21418 (Office RCE)
→ CVE-2026-21239 (Kernel EoP to SYSTEM)This chain allows an attacker to send a phishing email with a malicious document that bypasses SmartScreen, executes code via Office, and escalates to SYSTEM — all using patched-this-month zero-days.
Chain 2: Lateral Movement in AD
CVE-2026-21537 (NTLM Spoofing)
→ Credential relay to domain controller
→ CVE-2026-21445 (Print Spooler EoP for persistence)Chain 3: Cloud/Virtualization Escape
Initial access to Hyper-V guest
→ CVE-2026-21502 (Hyper-V guest-to-host escape)
→ Host system compromisePatch Priorities
Patch Immediately (Active Exploitation Confirmed)
All six zero-days should be patched within 24-48 hours given confirmed exploitation.
Patch This Week
- All Critical rated vulnerabilities
- Any vulnerability in internet-facing services
Patch Within Standard Cycle
- Remaining Important and Moderate vulnerabilities
The CISA Complication
Under normal circumstances, CISA would:
- Issue emergency directives for actively exploited vulnerabilities
- Update the Known Exploited Vulnerabilities (KEV) catalog
- Coordinate federal patch verification across agencies
- Provide guidance to state/local governments and critical infrastructure
With 62% of CISA furloughed, these activities are severely degraded, meaning organizations must rely more heavily on their own patch management and threat intelligence capabilities.
Key Takeaways
- Six actively exploited zero-days — The highest for a single Patch Tuesday in recent memory
- Dangerous attack chains possible — SmartScreen bypass + Office RCE + kernel EoP creates a phishing-to-SYSTEM pathway
- Hyper-V escape is especially concerning for cloud and virtualization environments
- CISA shutdown degrades coordination — Federal guidance and verification are limited
- Patch immediately — All six zero-days require urgent remediation
Sources
- Malwarebytes — February 2026 Patch Tuesday Includes Six Actively Exploited Zero-Days
- SecurityWeek — 6 Actively Exploited Zero-Days Patched by Microsoft With February 2026 Updates