Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for Windows, Azure, and developer tooling, including several high-impact issues spanning remote code execution (RCE), elevation of privilege (EoP), spoofing, information disclosure, denial of service, and security feature bypass. Notable items include Azure SDK for Python RCE CVE-2026-21531 (CVSS 9.8; deserialization of untrusted data), Windows Shell security feature bypass CVE-2026-21510 (CVSS 8.8; exploitability listed as E:F), GitHub Copilot/Visual Studio/VS Code issues enabling RCE/EoP/feature bypass (CVE-2026-21256, CVE-2026-21523, CVE-2026-21257, CVE-2026-21518), and Azure Local RCE CVE-2026-21228 (CVSS 8.1; improper certificate validation). Additional Windows platform flaws include Desktop Window Manager EoP CVE-2026-21519 (type confusion), HTTP.sys EoP CVE-2026-21232 (untrusted pointer dereference), WinSock Ancillary Function Driver EoP CVE-2026-21238 (improper access control), Windows Storage EoP CVE-2026-21508, WSL EoP CVE-2026-21237, Microsoft Word security feature bypass CVE-2026-21514, Outlook spoofing CVE-2026-21511, Windows LDAP DoS CVE-2026-21243, plus ACI Confidential Containers information disclosure CVE-2026-23655 and Azure IoT Explorer information disclosure CVE-2026-21528.
Separately, a detailed third-party writeup described a Windows Error Reporting Service local privilege escalation, CVE-2026-20817, patched in January 2026, where the WER service (wersvc.dll) running as NT AUTHORITY\SYSTEM allegedly fails to validate requester permissions over ALPC, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as SeDebugPrivilege, SeImpersonatePrivilege, and SeBackupPrivilege). Another third-party report highlighted a long-standing libpng heap buffer issue, CVE-2026-25646 (CVSS 8.3), in png_set_quantize() that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced libjpeg-turbo CVE-2023-2804 (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like msrc security advisories
Related Stories
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
1 months ago
Microsoft March 2026 Patch Tuesday Vulnerabilities Across SharePoint, Office/Excel, Windows Drivers, and GDI
Microsoft published security advisories for multiple **Important** and **Critical** vulnerabilities affecting *SharePoint Server*, *Microsoft Office/Excel*, Windows components, and *GDI*. The highest-impact server-side issue is **CVE-2026-26114**, a *SharePoint Server* **remote code execution** flaw attributed to **CWE-502 (deserialization of untrusted data)** with a CVSS v3.1 vector `AV:N/AC:L/PR:L/UI:N` (base score shown as 8.8), indicating network reachability with low complexity and requiring low privileges. Microsoft also disclosed **CVE-2026-26105**, a *SharePoint Server* **spoofing** issue mapped to **CWE-79 (XSS)** with `AV:N/AC:L/PR:N/UI:R` (base score shown as 8.1), implying remote exploitation that requires user interaction. On the endpoint/application side, Microsoft listed several *Office/Excel* **remote code execution** vulnerabilities: **CVE-2026-26109** (Excel RCE; **CWE-125 out-of-bounds read**; vector `AV:L/AC:L/PR:N/UI:N`, base score shown as 8.4), **CVE-2026-26108** (Excel RCE; **CWE-122 heap-based buffer overflow**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8), and **CVE-2026-26112** (Excel RCE; **CWE-822 untrusted pointer dereference**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8). Microsoft also published **CVE-2026-26113**, a **Critical** *Microsoft Office* RCE (also **CWE-822**) with `AV:L/AC:L/PR:N/UI:N` (base score shown as 8.4); one reference is a duplicate advisory page for the same CVE. Additional component advisories include **CVE-2026-24288** (Windows Mobile Broadband Driver RCE; **CWE-122**; `AV:P/AC:L/PR:N/UI:N`, base score shown as 6.8, requiring physical access) and **CVE-2026-25190** (GDI RCE; **CWE-426 untrusted search path**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8).
6 days ago
Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days
Microsoft’s January Patch Tuesday security updates addressed **114 vulnerabilities**, including **three zero-days** reported as publicly known and/or exploited. Reported issues span multiple Windows and Microsoft product components, including **Desktop Window Manager (DWM)**, legacy modem drivers, and core OS services, with a mix of **information disclosure**, **elevation of privilege (EoP)**, **security feature bypass**, and **remote code execution (RCE)** flaws. Technical highlights called out include **CVE-2023-31096** (Windows Agere Soft Modem Driver EoP), **CVE-2026-20805** (DWM information disclosure), and a **Secure Boot certificate expiration** security feature bypass (**CVE-2026-21265**). The update set also includes multiple **Office/Excel/Word RCE** vulnerabilities (e.g., **CVE-2026-20952**, **CVE-2026-20953**, **CVE-2026-20955**, **CVE-2026-20957**, **CVE-2026-20944**), Windows privilege-escalation issues (e.g., **Windows Graphics Component** and **VBS Enclave** EoP), and cloud/agent components such as **Azure Connected Machine Agent** (**CVE-2026-21224**) and **Azure Core shared client library for Python** (**CVE-2026-21226**).
2 months ago