Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for Windows, Azure, and developer tooling, including several high-impact issues spanning remote code execution (RCE), elevation of privilege (EoP), spoofing, information disclosure, denial of service, and security feature bypass. Notable items include Azure SDK for Python RCE CVE-2026-21531 (CVSS 9.8; deserialization of untrusted data), Windows Shell security feature bypass CVE-2026-21510 (CVSS 8.8; exploitability listed as E:F), GitHub Copilot/Visual Studio/VS Code issues enabling RCE/EoP/feature bypass (CVE-2026-21256, CVE-2026-21523, CVE-2026-21257, CVE-2026-21518), and Azure Local RCE CVE-2026-21228 (CVSS 8.1; improper certificate validation). Additional Windows platform flaws include Desktop Window Manager EoP CVE-2026-21519 (type confusion), HTTP.sys EoP CVE-2026-21232 (untrusted pointer dereference), WinSock Ancillary Function Driver EoP CVE-2026-21238 (improper access control), Windows Storage EoP CVE-2026-21508, WSL EoP CVE-2026-21237, Microsoft Word security feature bypass CVE-2026-21514, Outlook spoofing CVE-2026-21511, Windows LDAP DoS CVE-2026-21243, plus ACI Confidential Containers information disclosure CVE-2026-23655 and Azure IoT Explorer information disclosure CVE-2026-21528.
Separately, a detailed third-party writeup described a Windows Error Reporting Service local privilege escalation, CVE-2026-20817, patched in January 2026, where the WER service (wersvc.dll) running as NT AUTHORITY\SYSTEM allegedly fails to validate requester permissions over ALPC, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as SeDebugPrivilege, SeImpersonatePrivilege, and SeBackupPrivilege). Another third-party report highlighted a long-standing libpng heap buffer issue, CVE-2026-25646 (CVSS 8.3), in png_set_quantize() that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced libjpeg-turbo CVE-2023-2804 (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
HKCERT publishes bulletin on Microsoft's February 2026 security updates
HKCERT issued a security bulletin covering Microsoft's February 2026 monthly security update. The bulletin reflected and redistributed Microsoft's published vulnerability information for the month.
Microsoft discloses Windows Remote Desktop Services EoP flaw CVE-2026-21533
A Security Update Guide advisory for CVE-2026-21533 identified an elevation of privilege vulnerability in Windows Remote Desktop Services. This appeared as part of Microsoft's February 2026 vulnerability disclosures.
Microsoft publishes February 2026 Security Update Guide entries
Microsoft released Security Update Guide advisories for multiple February 2026 vulnerabilities across Windows, Office, .NET, Azure, GitHub Copilot, Visual Studio, and other products. The disclosed issues included remote code execution, elevation of privilege, spoofing, information disclosure, denial of service, and security feature bypass flaws such as CVE-2026-21519, CVE-2026-21511, CVE-2026-21523, and CVE-2026-21228.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
22 references tracked. Mallory keeps watching after this page renders.
Microsoft Monthly Security Update (February 2026)
hkcert.org
Open sourceCVE-2026-21519 - Security Update Guide - Microsoft - Desktop Window Manager Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-21511 - Security Update Guide - Microsoft - Microsoft Outlook Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-21518 - Security Update Guide - Microsoft - GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-21519 - Security Update Guide - Microsoft - Desktop Window Manager Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-21519 - Security Update Guide - Microsoft - Desktop Window Manager Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-21531 - Security Update Guide - Microsoft - Azure SDK for Python Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-21533 - Security Update Guide - Microsoft - Windows Remote Desktop Services Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
Mar 21, 2026
Microsoft Patches Multiple Windows Remote Code Execution Flaws Across Core Services
Microsoft published security advisories for a broad set of **remote code execution** vulnerabilities affecting Windows components and enterprise services, including **Windows Telephony Service**, **Hyper-V**, **ReFS**, **WSUS**, **Direct Show**, the **Windows Mobile Broadband Driver**, **Windows Server Setup and Boot Event Collection**, **SQL Server Native Client**, and **.NET**. The largest concentration of disclosures involved the Windows Telephony Service, with multiple CVEs including `CVE-2024-43620`, `CVE-2024-43627`, `CVE-2025-21190`, `CVE-2025-21240`, `CVE-2025-21243`, `CVE-2025-21250`, `CVE-2025-21266`, `CVE-2025-21273`, `CVE-2025-21409`, and `CVE-2025-21413`, indicating sustained patching activity around a single Windows attack surface. Other disclosed RCE issues expanded the risk to virtualization, storage, update infrastructure, and server environments through `CVE-2026-21244` and `CVE-2026-21248` in **Windows Hyper-V**, `CVE-2025-62456` in **Windows Resilient File System (ReFS)**, `CVE-2025-59287` in **Windows Server Update Service (WSUS)**, `CVE-2025-49666` in **Windows Server Setup and Boot Event Collection**, `CVE-2024-49012` in **SQL Server Native Client**, `CVE-2025-21291` in **Windows Direct Show**, and `CVE-2026-24288` in the **Windows Mobile Broadband Driver**. One referenced case, `CVE-2021-34458`, showed the potential severity of Microsoft RCE flaws in virtualized environments, with Microsoft describing a **Critical** Windows Kernel issue that could enable cross-guest interference on systems using **SR-IOV-capable hardware**.
May 25, 2026
Microsoft Fixes 137 Flaws Led by Netlogon, DNS Client, and Dynamics 365 RCEs
Microsoft released fixes for **137 vulnerabilities** across Windows, Azure, Microsoft 365, developer tools, and AI-related products, with no zero-days reported as exploited in the wild. The most urgent issues included a **wormable pre-auth remote code execution** flaw in **Windows Netlogon** (`CVE-2026-41089`), an **unauthenticated RCE** in the **Windows DNS Client** (`CVE-2026-41096`) that can be triggered through crafted DNS responses, and a **remote code execution** bug in **Microsoft Dynamics 365 on-premises** (`CVE-2026-42898`). Microsoft also patched an authenticated **SharePoint Server RCE** (`CVE-2026-40365`), multiple Microsoft Word Preview Pane RCEs, and a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence (`CVE-2026-41103`). The release was notable for its severity, with reports citing **16 to 30 critical vulnerabilities** depending on classification, and **14 flaws scoring 9.0 or higher**, including an **Azure DevOps information disclosure** issue rated `CVSS 10.0` that Microsoft said had already been fully mitigated. Elevation-of-privilege bugs made up the largest share of fixes, spanning the Windows kernel, Win32k, TCP/IP, SMB Client, Print Spooler, and other core components; two locally exploitable issues, including **Windows Print Spooler** (`CVE-2026-34342`) and **Windows Message Queueing** (`CVE-2026-33838`), were publicly disclosed alongside patches. Microsoft said its AI-driven bug-finding system **MDASH** identified 16 of the vulnerabilities, and it separately warned enterprises to complete **Secure Boot certificate** updates before June 26, 2026, while noting a BitLocker Recovery issue on some Windows Server 2025 systems with an unrecommended Group Policy setting.
May 14, 2026