February Patch Releases Address Actively Exploited Windows Zero-Days and High-Severity Chrome Vulnerabilities
A broad set of February security updates shipped across major vendors, led by Microsoft releasing fixes for 59 Windows flaws, including six actively exploited zero-days affecting multiple Windows components with impacts spanning security feature bypass, privilege escalation, and denial-of-service. Adobe also issued updates across creative products (e.g., Audition, After Effects, InDesign, Lightroom Classic), stating it is not aware of in-the-wild exploitation of the addressed issues.
SAP published fixes for two critical vulnerabilities: CVE-2026-0488 (CVSS 9.9), a code/SQL injection issue in SAP CRM and SAP S/4HANA that could enable arbitrary SQL execution and full database compromise, and CVE-2026-0509 (CVSS 9.6), a missing authorization check in SAP NetWeaver AS ABAP/ABAP Platform that could allow low-privileged users to perform background RFC actions without required S_RFC authorization (mitigations include a kernel update and profile parameter changes). Separately, Google/Chromium released Chrome/Chromium 144 updates addressing 11 CVEs including high-severity issues in V8 and Blink (notably CVE-2026-1220, a V8 race condition), with no confirmed public reporting of active exploitation for those Chrome bugs at the time of publication; Intel and Google also reported multiple vulnerabilities in Intel TDX 1.5 (including CVE-2025-32007, CVE-2025-27940, CVE-2025-30513, CVE-2025-27572, CVE-2025-32467).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Multiple vendors publish February 2026 security advisories
More than 60 software vendors released security fixes across operating systems, cloud services, browsers, enterprise software, and network platforms in the February 2026 patch cycle. The advisories included high- and critical-severity issues in products from vendors such as Cisco, Palo Alto Networks, VMware, Zoom, ServiceNow, and WordPress plugin developers.
Intel and Google assess Intel TDX 1.5 and disclose multiple weaknesses
Intel and Google jointly evaluated Intel TDX 1.5 and reported five CVEs along with additional weaknesses and improvement recommendations. Their findings cited increased trusted computing base complexity as a security concern.
SAP releases fixes for critical CRM, S/4HANA, and NetWeaver issues
SAP issued patches for two critical vulnerabilities, including a code injection flaw affecting SAP CRM and SAP S/4HANA and an authorization-check weakness in SAP NetWeaver ABAP components. Onapsis also published remediation guidance tied to the SAP updates.
Adobe publishes security updates for Creative Cloud products
Adobe released patches for several Creative Cloud products during the February 2026 security update cycle. The company said it was not aware of any in-the-wild exploitation affecting the addressed issues at the time of release.
Microsoft Patch Tuesday fixes 59 flaws, including six exploited zero-days
Microsoft's February 2026 Patch Tuesday addressed 59 vulnerabilities, including six actively exploited zero-days in Windows components. The flaws enabled impacts such as security feature bypass, privilege escalation, and denial-of-service.
Google ships Chrome 144 security updates
Google released Chromium/Chrome 144 updates fixing 11 vulnerabilities, including multiple high-severity issues in V8 and Blink. The fixes were highlighted in February 2026 patch coverage as part of the broader vendor update cycle.
Microsoft issues out-of-band fix for exploited Office zero-day
Microsoft released an out-of-band patch for CVE-2026-21509, an actively exploited Microsoft Office zero-day. Coverage described it as one of the limited cases in the February update cycle with confirmed in-the-wild exploitation.
Oracle releases January 2026 Critical Patch Update
Oracle published its January 2026 Critical Patch Update, delivering 337 security fixes across its product portfolio. The update was later referenced in February patch-roundup coverage as part of the broader wave of vendor advisories.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
February 2026 Patch Tuesday Security Updates for Microsoft Windows and Adobe Products
Microsoft and Adobe released their **February 2026 Patch Tuesday** security updates, with Microsoft addressing **58 vulnerabilities** and reporting **six actively exploited zero-day flaws** as part of the month’s fixes. Microsoft also continued its rollout of **replacements for expiring Secure Boot certificates** and shipped the Windows 10 **KB5075912** Extended Security Update (ESU) for eligible systems (e.g., Windows 10 Enterprise LTSC and ESU-enrolled devices), updating builds to **19045.6937** (Windows 10) and **19044.6937** (LTSC 2021). In addition to security fixes, KB5075912 includes reliability remediation for an issue where some **Secure Launch-capable** PCs with **VSM** enabled could not shut down or hibernate after January 2026 security updates. Adobe published **nine security bulletins** covering **44 CVEs** across products including *After Effects, Audition, InDesign, Adobe Bridge, Lightroom Classic,* and multiple *Substance 3D* applications, with several issues rated **Critical** and potentially leading to **code execution** (notably in *After Effects* and *Substance 3D Stager*). Adobe stated that, at release time, none of the addressed vulnerabilities were listed as publicly known or under active attack, contrasting with Microsoft’s disclosure of in-the-wild exploitation for multiple zero-days in the same Patch Tuesday cycle.
Mar 21, 2026
Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for **79 vulnerabilities**, including **two zero-day flaws**. Public reporting and third-party patch reviews highlight a mix of *Important* and *Critical* issues across Microsoft’s ecosystem, including **.NET** (`CVE-2026-26127` DoS; `CVE-2026-26131` EoP), **Active Directory Domain Services** (`CVE-2026-25177` EoP), **ASP.NET Core** (`CVE-2026-26130` DoS), and multiple Azure components such as **ACI Confidential Containers** (`CVE-2026-23651`, `CVE-2026-26124` EoP; `CVE-2026-26122` information disclosure) and **Azure IoT Explorer** (`CVE-2026-26121` spoofing; `CVE-2026-23661/23662/23664` information disclosure). Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional *Critical* items in the release such as **Microsoft Office RCE** (`CVE-2026-26110`, `CVE-2026-26113`) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled **Chromium**-tracked fixes (multiple `CVE-2026-3536` through `CVE-2026-3544` entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
Mar 21, 2026
Google Patches Two Actively Exploited Chrome Zero-Days
Google released an urgent **Chrome stable channel** update to address two **high-severity zero-day vulnerabilities** that the company says are being **actively exploited in the wild**. The patched versions are `146.0.7680.75/76` for **Windows and macOS** and `146.0.7680.75` for **Linux**, with rollout occurring over days to weeks. The flaws were reported internally by Google on March 10, and Google said access to additional bug details may remain restricted until most users have updated. The two vulnerabilities are **CVE-2026-3909**, an **out-of-bounds write in Skia**, and **CVE-2026-3910**, an **inappropriate implementation in V8**. Both components are high-value targets because they sit in Chrome’s rendering and JavaScript execution paths, creating opportunities for malicious webpages to trigger memory corruption or unsafe browser behavior that could lead to **arbitrary code execution**. The update is a substantive security release rather than routine product news because Google explicitly confirmed that exploits exist for both issues, making rapid patching a priority for enterprises and end users.
Mar 21, 2026