Report Name: Microsoft Patch Tuesday, February 2026Generated: 2026-02-11 21:40:34
| Product Name | Prevalence | U | C | H | M | L | A | Comment |
|---|---|---|---|---|---|---|---|---|
| Windows Kernel | 0.9 | 4 | 4 | Windows Kernel | ||||
| Windows NTLM | 0.9 | 1 | 1 | A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity | ||||
| GDI+ | 0.8 | 1 | 1 | GDI+ | ||||
| Microsoft Exchange | 0.8 | 1 | 1 | Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft | ||||
| Windows Ancillary Function Driver for WinSock | 0.8 | 3 | 3 | Windows component | ||||
| Windows App for Mac Installer | 0.8 | 1 | 1 | Windows component | ||||
| Windows Connected Devices Platform Service | 0.8 | 1 | 1 | Windows component | ||||
| Windows Graphics Component | 0.8 | 2 | 2 | Windows component | ||||
| Windows HTTP.sys | 0.8 | 3 | 3 | Windows component | ||||
| Windows Lightweight Directory Access Protocol (LDAP) | 0.8 | 1 | 1 | Windows component | ||||
| Windows Notepad App | 0.8 | 1 | 1 | Windows component | ||||
| Windows Remote Access Connection Manager | 0.8 | 1 | 1 | Windows component | ||||
| Windows Remote Desktop Services | 0.8 | 1 | 1 | Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection | ||||
| Windows Shell | 0.8 | 1 | 1 | Windows component | ||||
| Windows Storage | 0.8 | 1 | 1 | Windows component | ||||
| Windows Subsystem for Linux | 0.8 | 2 | 2 | Windows component | ||||
| .NET | 0.7 | 1 | 1 | .NET | ||||
| Microsoft Excel | 0.6 | 3 | 3 | MS Office product | ||||
| Microsoft Outlook | 0.6 | 2 | 2 | Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites | ||||
| Microsoft Word | 0.6 | 1 | 1 | Microsoft Word is a widely used commercial word processor developed by Microsoft. It is a component of the Microsoft Office suite of productivity software but can also be purchased as a standalone product. | ||||
| Windows Hyper-V | 0.6 | 4 | 4 | Hardware virtualization component of the client editions of Windows NT | ||||
| Azure DevOps Server | 0.5 | 1 | 1 | Azure DevOps Server | ||||
| Azure HDInsight | 0.5 | 1 | 1 | Azure HDInsight | ||||
| Azure IoT Explorer | 0.5 | 1 | 1 | Azure IoT Explorer | ||||
| Azure Local | 0.5 | 1 | 1 | Azure Local | ||||
| Azure SDK for Python | 0.5 | 1 | 1 | Azure SDK for Python | ||||
| Cluster Client Failover (CCF) | 0.5 | 1 | 1 | Cluster Client Failover (CCF) | ||||
| Desktop Window Manager | 0.5 | 1 | 1 | Desktop Window Manager | ||||
| GitHub Copilot and Visual Studio | 0.5 | 2 | 2 | GitHub Copilot and Visual Studio | ||||
| GitHub Copilot and Visual Studio Code | 0.5 | 2 | 2 | GitHub Copilot and Visual Studio Code | ||||
| GitHub Copilot for Jetbrains | 0.5 | 1 | 1 | GitHub Copilot for Jetbrains | ||||
| MSHTML Framework | 0.5 | 1 | 1 | MSHTML Framework | ||||
| Mailslot File System | 0.5 | 1 | 1 | Mailslot File System | ||||
| Microsoft ACI Confidential Containers | 0.5 | 2 | 2 | Microsoft ACI Confidential Containers | ||||
| Microsoft Defender for Endpoint Linux Extension | 0.5 | 1 | 1 | Microsoft Defender for Endpoint Linux Extension | ||||
| libjpeg | 0.5 | 1 | 1 | libjpeg | ||||
| Power BI | 0.3 | 1 | 1 | Power BI is a business analytics service by Microsoft |
| Vulnerability Type | Criticality | U | C | H | M | L | A |
|---|---|---|---|---|---|---|---|
| Remote Code Execution | 1.0 | 1 | 10 | 11 | |||
| Security Feature Bypass | 0.9 | 2 | 1 | 2 | 5 | ||
| Elevation of Privilege | 0.85 | 1 | 1 | 21 | 23 | ||
| Information Disclosure | 0.83 | 5 | 5 | ||||
| Cross Site Scripting | 0.8 | 1 | 1 | ||||
| Denial of Service | 0.7 | 2 | 1 | 3 | |||
| Spoofing | 0.4 | 6 | 6 | ||||
| Unknown Vulnerability Type | 0 | 1 | 1 |
| Source | U | C | H | M | L | A |
|---|---|---|---|---|---|---|
| Qualys | 3 | 3 | 7 | 13 | ||
| Tenable | 3 | 4 | 1 | 8 | ||
| Rapid7 | 3 | 3 | 6 | |||
| ZDI | 3 | 3 | 6 |
1. 
Security Feature Bypass - Windows Shell (CVE-2026-21510) - Critical [736]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on Microsoft website | |
| 0.6 | 17 | The existence of a private exploit is mentioned on Microsoft:PrivateExploit:Functional website | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.8 | 14 | Windows component | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-21510: Windows Shell Security Feature Bypass Vulnerability The Windows Shell is the primary interface for users to interact with the Windows operating system, encompassing visible elements like the Desktop, Taskbar, and Start Menu. A failure in the Windows Shell protection mechanism may allow an unauthenticated attacker to bypass a network security feature. An attacker must convince a user to open a malicious link or shortcut file to exploit the vulnerability. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Tenable: Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)
Tenable: CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability
Tenable: CVE-2026-21510 is a security feature bypass vulnerability affecting Windows Shell. It was assigned a CVSSv3 score of 8.8 and was rated as important. According to Microsoft, this flaw was publicly disclosed prior to a patch being made available and was also exploited in the wild as a zero-day. Exploitation requires an attacker to convince an unsuspecting user to open a malicious link or shortcut file. This would allow the attacker to bypass Windows SmartScreen and Windows Shell warnings by exploiting a flaw in Windows Shell components.
Rapid7: CVE-2026-21510 describes a zero-day Windows Shell security feature bypass vulnerability which is already exploited in the wild. Not to be confused with PowerShell, most people will use the Windows Shell without ever learning its name or even really contemplating its existence. The Windows Shell is Microsoft’s term for the GUI interaction logic for the entire OS provided by explorer.exe and associated libraries and APIs.
Rapid7: CVE-2026-21510 provides an attacker with a way to dodge those pesky Smart Screen or other “are you sure?” prompts. The advisory sets out that “an attacker must convince a user to open a malicious link or shortcut file”. We could parse this wording more than one way, and while shortcut files with a .lnk extension are certainly a prime suspect here, it’s possible that .url files might also be a vector.
Rapid7: Ultimately, although none of the advisories for CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 explicitly come out and say it, it’s likely that exploitation in each case involves tricking Windows into participating in another Mark-of the Web laundering scheme using flaws in old components.
ZDI: CVE-2026-21510 - Windows Shell Security Feature Bypass Vulnerability. This bug is listed as a security feature bypass, but it could also be classified as code execution. An attacker can bypass Windows SmartScreen and Windows Shell security prompts to execute code on a target system. This bug is also listed as publicly known, but Microsoft doesn’t say where. There is user interaction here, as the client needs to click a link or a shortcut file. Still, a one-click bug to gain code execution is a rarity. Definitely test and deploy this fix quickly.
2. 
Elevation of Privilege - Windows Remote Desktop Services (CVE-2026-21533) - Critical [716]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on Microsoft website | |
| 0.6 | 17 | The existence of a private exploit is mentioned on Microsoft:PrivateExploit:Functional website | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-21533: Windows Remote Desktop Services Elevation of Privilege Vulnerability Windows Remote Desktop Services (RDS) is a Microsoft Windows Server technology that allows users to securely access virtualized desktops, applications, and resources from any device, anywhere. An improper privilege management flaw in Windows Remote Desktop could allow an authenticated attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Tenable: CVE-2026-21533 | Windows Remote Desktop Services Elevation of Privilege Vulnerability
Tenable: CVE-2026-21533 is an EoP vulnerability affecting Windows Remote Desktop Services. It was assigned a CVSSv3 score of 7.8, rated as important and was reportedly exploited in the wild. Successful exploitation allows a local, authenticated attacker to elevate to SYSTEM privileges.
Rapid7: Remote Desktop Services (RDP) are designed to allow a duly authorized remote user to interact with the server, but CVE-2026-21533 allows an unauthorized local user to elevate privileges to SYSTEM. Every Windows Server product back as far as Server 2012 receives patches, so this one has been present for a while. It’s possible that today’s patches close off a long-running exploitation story for at least one threat actor.
ZDI: CVE-2026-21533 - Windows Remote Desktop Services Elevation of Privilege Vulnerability. Don’t let the word “Remote” in the title fool you – this is a local bug that allows attackers to run code with SYSTEM privileges. It’s interesting that Microsoft lists “Improper privilege management” as the root cause for this issue. If the system is running Remote Desktop Services, it’s probably a juicy target for attackers to move laterally after an initial breach. Add this one to the list of patches to test and deploy immediately.
3. Security Feature Bypass - Microsoft Word (CVE-2026-21514) - Critical [691]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on Microsoft website | |
| 0.6 | 17 | The existence of a private exploit is mentioned on Microsoft:PrivateExploit:Functional website | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.6 | 14 | Microsoft Word is a widely used commercial word processor developed by Microsoft. It is a component of the Microsoft Office suite of productivity software but can also be purchased as a standalone product. | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-21514: Microsoft Word Security Feature Bypass Vulnerability An attacker must send a user a malicious Office file and convince them to open it to exploit the vulnerability. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Tenable: CVE-2026-21514 | Microsoft Word Security Feature Bypass Vulnerability
Tenable: CVE-2026-21514 is a security feature bypass vulnerability affecting Microsoft Word. It was assigned a CVSSv3 score of 7.8 and rated as important. Successful exploitation requires an attacker to convince a user to open a crafted Office file. According to the Microsoft advisory, the preview pane is not an attack vector. This vulnerability was publicly disclosed prior to a patch being made available and was also exploited in the wild as a zero-day. Microsoft credited the discovery of this vulnerability to an Anonymous researcher, Google Threat Intelligence Group, Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC) and Office Product Group Security Team.
Rapid7: If good things come in threes, then perhaps CVE-2026-21514 makes security bypass zero-day vulnerabilities a good thing. Exploitation involves bypassing Object Linking & Embedding (OLE) mitigations by convincing the user to open a malicious Word document. The advisory only lists remediations for LTSC versions of Office and on-prem Microsoft 365 Apps for Enterprise, without mentioning the standard Microsoft 365 suite.
Rapid7: It’s curious that Microsoft has evaluated the attack vector for CVE-2026-21514 as local, because MSRC typically assesses any vulnerability which boils down to “remote attacker tricks user into opening malicious payload” as a remote attack, based on the location of the attacker. However, the advisory specifically calls out that “reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.” It’s not clear whether this is a deviation from prior practice by MSRC, an inadvertent mis-assessment, or an unusual-but-correct assessment of an attack vector that relies on details which Microsoft has not made public. Happily, the Preview Pane is not a vector, which raises the bar slightly for an attacker, since the user must explicitly open the malicious file or web page.
Rapid7: Ultimately, although none of the advisories for CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 explicitly come out and say it, it’s likely that exploitation in each case involves tricking Windows into participating in another Mark-of the Web laundering scheme using flaws in old components.
ZDI: CVE-2026-21514 - Microsoft Word Security Feature Bypass Vulnerability. This bug also requires user interaction in the form of opening a Word document, but that’s all that’s required to bypass protections to dangerous COM/OLE controls. Thankfully, the Preview Pane is not an attack vector here. However, users are well known to open lots of documents they receive in e-mail. This bypass could also result in code execution if the right COM/OLE control is hit. This is also listed as publicly known, so add this to the list to test and deploy quickly.
4. Security Feature Bypass - MSHTML Framework (CVE-2026-21513) - High [565]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on Microsoft website | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.5 | 14 | MSHTML Framework | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-21513: MSHTML Framework Security Feature Bypass Vulnerability The MSHTML Framework (also known as Trident) is a proprietary browser engine developed by Microsoft. It is a software component that renders web pages and other HTML content within applications running on Microsoft Windows. A failure in the MSHTML Framework protection mechanism could allow an unauthenticated attacker to bypass a security feature over a network. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
Tenable: Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)
Tenable: CVE-2026-21513 | MSHTML Framework Security Feature Bypass Vulnerability
Tenable: CVE-2026-21513 is a security feature bypass vulnerability in the MSHTML Framework. It was assigned a CVSSv3 score of 8.8 and rated as important. According to Microsoft, it was both exploited in the wild and publicly disclosed prior to a patch being available. Successful exploitation of this flaw requires an attacker to convince a potential victim into opening either a malicious HTML file or a shortcut (.lnk) file. Like similar security feature bypass flaws, this vulnerability can bypass protection prompts that would caution a user before opening a file.
Rapid7: The venerable MSHTML/Trident web rendering engine is still present in Windows as a daily driver for Office and Explorer, many years after most people stopped using Internet Explorer. Accordingly, every so often Microsoft has to patch another zero-day vulnerability in the browser it can’t quite bring itself to rip out of its flagship operating system. Today’s example is CVE-2026-21513, a security feature bypass which starts with the attacker convincing a user to open a malicious HTML file or shortcut file.
Rapid7: Ultimately, although none of the advisories for CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 explicitly come out and say it, it’s likely that exploitation in each case involves tricking Windows into participating in another Mark-of the Web laundering scheme using flaws in old components.
ZDI: CVE-2026-21513 - Internet Explorer Security Feature Bypass Vulnerability. Although long gone by many measurements, IE does still exist on Windows systems, and calling it always results in a vulnerability somehow. This bug manifests similarly to the Shell bug above, as it requires user interaction but could result in code execution. The bypass here is simply the ability to reach IE, which shouldn’t be possible. Again, test and deploy this fix quickly.
5. 
Denial of Service - Windows Remote Access Connection Manager (CVE-2026-21525) - High [544]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on Microsoft website | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.7 | 15 | Denial of Service | |
| 0.8 | 14 | Windows component | |
| 0.6 | 10 | CVSS Base Score is 6.2. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-21525: Windows Remote Access Connection Manager Denial of Service Vulnerability Windows Remote Access Connection Manager is a core Windows service that manages dial-up and Virtual Private Network connections, allowing user computers to securely connect to remote networks, corporate resources, or other devices. A null pointer dereference in Windows Remote Access Connection Manager could allow an unauthenticated attacker to deny service locally. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Tenable: CVE-2026-21525 | Windows Remote Access Connection Manager Denial of Service Vulnerability
Tenable: CVE-2026-21525 is a denial of service (DoS) vulnerability affecting Windows Remote Access Connection Manager (also known as RasMan), a tool used for the management of multiple remote desktop connections. It was assigned a CVSSv3 score of 6.2, was rated as important and was exploited in the wild. While no information has been released about the exploitation of this DoS, the advisory credits the 0patch vulnerability research team for reporting this flaw.
Rapid7: Exploited in the wild, but perhaps of less concern is CVE-2026-21525, a local denial of service vulnerability in the Windows Remote Access Connection Manager (RasMan). Somewhat unusually for a local vulnerability, the advisory sets out that no privileges are required at all, so even a guest account can exploit this one. You have disabled those guest accounts, right?. Microsoft lifecycle update
ZDI: CVE-2026-21525 - Windows Remote Access Connection Manager Denial of Service Vulnerability. It’s unusual to see DoS bugs being used in active attacks, but that’s what we have here. A null pointer deref in the Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally. Most null pointer derefs cause the application or service to crash, but it’s not clear if it will automatically restart. I would exercise caution and patch quickly either way.
6. Elevation of Privilege - Desktop Window Manager (CVE-2026-21519) - High [544]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 1.0 | 18 | Exploitation in the wild is mentioned on Microsoft website | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | Desktop Window Manager | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-21519: Desktop Windows Manager Elevation of Privilege Vulnerability Desktop Window Manager is a system service in Windows (Vista and later) that enables visual effects such as transparency, window animations, and live taskbar thumbnails via GPU hardware acceleration. A type confusion flaw in the Desktop Window Manager may allow an authenticated attacker to elevate privileges locally. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Tenable: CVE-2026-21519 | Desktop Window Manager Elevation of Privilege Vulnerability
Tenable: CVE-2026-21519 is an EoP vulnerability affecting Desktop Window Manager, a Windows service used to render the graphical user interface (GUI) in Windows. It was assigned a CVSSv3 score of 7.8 and rated as important. A local, authenticated attacker could exploit this vulnerability to elevate to SYSTEM privileges. According to Microsoft, this vulnerability was exploited in the wild as a zero-day.
Rapid7: For the second month in a row, the Windows Desktop Windows Manager (DWM) is the site of an exploited-in-the-wild zero-day vulnerability. Last month’s CVE-2026-20805 was an information disclosure vulnerability, effectively a treasure map for threat actors seeking the otherwise obfuscated in-memory address of the kernel-space DWM process. The publication of zero-day elevation of privilege (EoP) vulnerability CVE-2026-21519 today very likely reflects MSTIC and MSRC working to thwart the same threat actor in both cases. As Rapid7 has noted in the past, initial access coupled with local elevation of privilege vulnerabilities is the staple diet of many successful attackers, so the lower CVSS v3 base score of 7.8 seen here versus a broadly equivalent remote code execution is not a sign to delay patching.
ZDI: CVE-2026-21519 - Desktop Window Manager Elevation of Privilege Vulnerability. This is the second month in a row that a DWM was listed as being exploited in the wild. That leads me to believe the first patch didn’t completely resolve the vulnerability. Same as last month, this bug allows attackers to run code with SYSTEM privileges. Bugs of this type are typically paired with a code execution bug to take over a system. As always, Microsoft offers no indication of how widespread these exploits may be.
7. Denial of Service - libjpeg (CVE-2023-2804) - High [517]
Description: A heap-based buffer overflow issue was discovered in
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 1.0 | 17 | The existence of a publicly available exploit is mentioned on NVD:PublicExploit:github.com website | |
| 0.7 | 15 | Denial of Service | |
| 0.5 | 14 | libjpeg | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0.2 | 10 | EPSS Probability is 0.00061, EPSS Percentile is 0.18908 |
Tenable: Microsoft patched 54 CVEs in its February 2026 Patch Tuesday release, with two rated critical, 51 rated as important and one rated as moderate. We omitted one vulnerability from our counts this month, CVE-2023-2804, a heap based overflow vulnerability in the libjpeg-turbo component.
8. 
Remote Code Execution - Windows Notepad App (CVE-2026-20841) - High [419]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.8 | 14 | Windows component | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
9. Elevation of Privilege - Microsoft ACI Confidential Containers (CVE-2026-21522) - Medium [399]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0.4 | 17 | The existence of a private exploit is mentioned on Microsoft:PrivateExploit:PoC website | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | Microsoft ACI Confidential Containers | |
| 0.7 | 10 | CVSS Base Score is 6.7. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-21522: Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability A command injection flaw in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. Upon successful exploitation, an attacker could execute arbitrary commands within the affected ACI container’s context, thereby running code with the same privileges as the compromised container.
10. Elevation of Privilege - Windows Kernel (CVE-2026-21231) - Medium [397]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.9 | 14 | Windows Kernel | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing. CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
11. Elevation of Privilege - Windows Kernel (CVE-2026-21239) - Medium [397]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.9 | 14 | Windows Kernel | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
12. Elevation of Privilege - Windows Kernel (CVE-2026-21245) - Medium [397]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.9 | 14 | Windows Kernel | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
13. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2026-21236) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
14. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2026-21238) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing. CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
15. Elevation of Privilege - Windows Graphics Component (CVE-2026-21246) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
16. Elevation of Privilege - Windows HTTP.sys (CVE-2026-21232) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
17. Elevation of Privilege - Windows HTTP.sys (CVE-2026-21240) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
18. Elevation of Privilege - Windows HTTP.sys (CVE-2026-21250) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
19. Remote Code Execution - Azure SDK for Python (CVE-2026-21531) - Medium [380]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | Azure SDK for Python | |
| 1.0 | 10 | CVSS Base Score is 9.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
20. 
Information Disclosure - Windows Kernel (CVE-2026-21222) - Medium [369]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.9 | 14 | Windows Kernel | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
21. Remote Code Execution - GitHub Copilot and Visual Studio (CVE-2026-21256) - Medium [369]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | GitHub Copilot and Visual Studio | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
22. Remote Code Execution - GitHub Copilot for Jetbrains (CVE-2026-21516) - Medium [369]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | GitHub Copilot for Jetbrains | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
23. Remote Code Execution - Microsoft Defender for Endpoint Linux Extension (CVE-2026-21537) - Medium [369]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | Microsoft Defender for Endpoint Linux Extension | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
24. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2026-21241) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing. CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
25. Elevation of Privilege - Windows App for Mac Installer (CVE-2026-21517) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
26. Elevation of Privilege - Windows Connected Devices Platform Service (CVE-2026-21234) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
27. Elevation of Privilege - Windows Graphics Component (CVE-2026-21235) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.3. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
28. Elevation of Privilege - Windows Storage (CVE-2026-21508) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
29. Elevation of Privilege - Windows Subsystem for Linux (CVE-2026-21237) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
30. Elevation of Privilege - Windows Subsystem for Linux (CVE-2026-21242) - Medium [368]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.8 | 14 | Windows component | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
31. Security Feature Bypass - Windows Hyper-V (CVE-2026-21255) - Medium [367]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.6 | 14 | Hardware virtualization component of the client editions of Windows NT | |
| 0.9 | 10 | CVSS Base Score is 8.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
32. Remote Code Execution - Windows Hyper-V (CVE-2026-21244) - Medium [361]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | Hardware virtualization component of the client editions of Windows NT | |
| 0.7 | 10 | CVSS Base Score is 7.3. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
33. Remote Code Execution - Windows Hyper-V (CVE-2026-21247) - Medium [361]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | Hardware virtualization component of the client editions of Windows NT | |
| 0.7 | 10 | CVSS Base Score is 7.3. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
34. Remote Code Execution - Windows Hyper-V (CVE-2026-21248) - Medium [361]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.6 | 14 | Hardware virtualization component of the client editions of Windows NT | |
| 0.7 | 10 | CVSS Base Score is 7.3. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
35. Remote Code Execution - Azure Local (CVE-2026-21228) - Medium [357]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | Azure Local | |
| 0.8 | 10 | CVSS Base Score is 8.1. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
36. Remote Code Execution - GitHub Copilot and Visual Studio Code (CVE-2026-21523) - Medium [357]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.5 | 14 | GitHub Copilot and Visual Studio Code | |
| 0.8 | 10 | CVSS Base Score is 8.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
37. Denial of Service - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2026-21243) - Medium [353]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.7 | 15 | Denial of Service | |
| 0.8 | 14 | Windows component | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
38. Elevation of Privilege - Microsoft Excel (CVE-2026-21259) - Medium [347]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.6 | 14 | MS Office product | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
39. Elevation of Privilege - Cluster Client Failover (CCF) (CVE-2026-21251) - Medium [330]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | Cluster Client Failover (CCF) | |
| 0.8 | 10 | CVSS Base Score is 7.8. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
40. Elevation of Privilege - GitHub Copilot and Visual Studio (CVE-2026-21257) - Medium [330]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | GitHub Copilot and Visual Studio | |
| 0.8 | 10 | CVSS Base Score is 8.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
41. Security Feature Bypass - GitHub Copilot and Visual Studio Code (CVE-2026-21518) - Medium [327]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.9 | 15 | Security Feature Bypass | |
| 0.5 | 14 | GitHub Copilot and Visual Studio Code | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
42. Remote Code Execution - Power BI (CVE-2026-21229) - Medium [323]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 1.0 | 15 | Remote Code Execution | |
| 0.3 | 14 | Power BI is a business analytics service by Microsoft | |
| 0.8 | 10 | CVSS Base Score is 8.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
43. Information Disclosure - Microsoft Excel (CVE-2026-21258) - Medium [319]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.6 | 14 | MS Office product | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
44. Information Disclosure - Microsoft Excel (CVE-2026-21261) - Medium [319]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.6 | 14 | MS Office product | |
| 0.6 | 10 | CVSS Base Score is 5.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
45. Elevation of Privilege - Mailslot File System (CVE-2026-21253) - Medium [318]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.85 | 15 | Elevation of Privilege | |
| 0.5 | 14 | Mailslot File System | |
| 0.7 | 10 | CVSS Base Score is 7.0. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing. CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
46. Information Disclosure - Azure IoT Explorer (CVE-2026-21528) - Medium [314]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.5 | 14 | Azure IoT Explorer | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
47. Information Disclosure - Microsoft ACI Confidential Containers (CVE-2026-23655) - Medium [314]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.83 | 15 | Information Disclosure | |
| 0.5 | 14 | Microsoft ACI Confidential Containers | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: CVE-2026-23655: Microsoft ACI Confidential Containers Information Disclosure Vulnerability Upon successful exploitation of the vulnerability, an attacker could disclose the secret tokens and keys.
48. 
Cross Site Scripting - Azure DevOps Server (CVE-2026-21512) - Medium [309]
Description: Azure DevOps Server Cross-Site Scripting Vulnerability
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.8 | 15 | Cross Site Scripting | |
| 0.5 | 14 | Azure DevOps Server | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
49. 
Spoofing - Microsoft Exchange (CVE-2026-21527) - Medium [288]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.8 | 14 | Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft | |
| 0.7 | 10 | CVSS Base Score is 6.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
50. Spoofing - .NET (CVE-2026-21218) - Medium [283]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.7 | 14 | .NET | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
51. Spoofing - Microsoft Outlook (CVE-2026-21260) - Medium [266]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.6 | 14 | Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
52. Spoofing - Microsoft Outlook (CVE-2026-21511) - Medium [266]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.6 | 14 | Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing. CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
Tenable: CVE-2026-21511 | Microsoft Outlook Spoofing Vulnerability
Tenable: CVE-2026-21511 is a spoofing vulnerability affecting Microsoft Outlook. It was assigned a CVSSv3 score of 7.5 and was rated as important. The spoofing vulnerability is the result of a deserialization of untrusted data flaw, which an attacker can trigger using a crafted email. Microsoft notes that the preview pane is an attack vector for this flaw. CVE-2026-21511 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
53. Spoofing - Windows NTLM (CVE-2026-21249) - Medium [257]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.9 | 14 | A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity | |
| 0.3 | 10 | CVSS Base Score is 3.3. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
54. 
Unknown Vulnerability Type - GDI+ (CVE-2026-20846) - Medium [228]
Description: {'ms_cve_data_all': '', 'nvd_cve_data_all': 'Buffer over-read in Windows GDI+ allows an unauthorized attacker to deny service over a network.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Buffer over-read in Windows GDI+ allows an unauthorized attacker to deny service over a network.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0 | 15 | Unknown Vulnerability Type | |
| 0.8 | 14 | GDI+ | |
| 0.8 | 10 | CVSS Base Score is 7.5. According to NVD data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
55. Spoofing - Azure HDInsight (CVE-2026-21529) - Medium [226]
Description:
| Component | Value | Weight | Comment |
|---|---|---|---|
| 0 | 18 | Exploitation in the wild is NOT mentioned in available Data Sources | |
| 0 | 17 | The existence of publicly available or private exploit is NOT mentioned in available Data Sources | |
| 0.4 | 15 | Spoofing | |
| 0.5 | 14 | Azure HDInsight | |
| 0.6 | 10 | CVSS Base Score is 5.7. According to Microsoft data source | |
| 0 | 10 | EPSS Probability is 0, EPSS Percentile is 0 |
Security Feature Bypass (3)Qualys: CVE-2026-21510: Windows Shell Security Feature Bypass Vulnerability The Windows Shell is the primary interface for users to interact with the Windows operating system, encompassing visible elements like the Desktop, Taskbar, and Start Menu. A failure in the Windows Shell protection mechanism may allow an unauthenticated attacker to bypass a network security feature. An attacker must convince a user to open a malicious link or shortcut file to exploit the vulnerability. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Tenable: Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)
Tenable: CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability
Tenable: CVE-2026-21510 is a security feature bypass vulnerability affecting Windows Shell. It was assigned a CVSSv3 score of 8.8 and was rated as important. According to Microsoft, this flaw was publicly disclosed prior to a patch being made available and was also exploited in the wild as a zero-day. Exploitation requires an attacker to convince an unsuspecting user to open a malicious link or shortcut file. This would allow the attacker to bypass Windows SmartScreen and Windows Shell warnings by exploiting a flaw in Windows Shell components.
Rapid7: CVE-2026-21510 describes a zero-day Windows Shell security feature bypass vulnerability which is already exploited in the wild. Not to be confused with PowerShell, most people will use the Windows Shell without ever learning its name or even really contemplating its existence. The Windows Shell is Microsoft’s term for the GUI interaction logic for the entire OS provided by explorer.exe and associated libraries and APIs.
Rapid7: CVE-2026-21510 provides an attacker with a way to dodge those pesky Smart Screen or other “are you sure?” prompts. The advisory sets out that “an attacker must convince a user to open a malicious link or shortcut file”. We could parse this wording more than one way, and while shortcut files with a .lnk extension are certainly a prime suspect here, it’s possible that .url files might also be a vector.
Rapid7: Ultimately, although none of the advisories for CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 explicitly come out and say it, it’s likely that exploitation in each case involves tricking Windows into participating in another Mark-of the Web laundering scheme using flaws in old components.
ZDI: CVE-2026-21510 - Windows Shell Security Feature Bypass Vulnerability. This bug is listed as a security feature bypass, but it could also be classified as code execution. An attacker can bypass Windows SmartScreen and Windows Shell security prompts to execute code on a target system. This bug is also listed as publicly known, but Microsoft doesn’t say where. There is user interaction here, as the client needs to click a link or a shortcut file. Still, a one-click bug to gain code execution is a rarity. Definitely test and deploy this fix quickly.
Qualys: CVE-2026-21514: Microsoft Word Security Feature Bypass Vulnerability An attacker must send a user a malicious Office file and convince them to open it to exploit the vulnerability. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Tenable: CVE-2026-21514 | Microsoft Word Security Feature Bypass Vulnerability
Tenable: CVE-2026-21514 is a security feature bypass vulnerability affecting Microsoft Word. It was assigned a CVSSv3 score of 7.8 and rated as important. Successful exploitation requires an attacker to convince a user to open a crafted Office file. According to the Microsoft advisory, the preview pane is not an attack vector. This vulnerability was publicly disclosed prior to a patch being made available and was also exploited in the wild as a zero-day. Microsoft credited the discovery of this vulnerability to an Anonymous researcher, Google Threat Intelligence Group, Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC) and Office Product Group Security Team.
Rapid7: If good things come in threes, then perhaps CVE-2026-21514 makes security bypass zero-day vulnerabilities a good thing. Exploitation involves bypassing Object Linking & Embedding (OLE) mitigations by convincing the user to open a malicious Word document. The advisory only lists remediations for LTSC versions of Office and on-prem Microsoft 365 Apps for Enterprise, without mentioning the standard Microsoft 365 suite.
Rapid7: It’s curious that Microsoft has evaluated the attack vector for CVE-2026-21514 as local, because MSRC typically assesses any vulnerability which boils down to “remote attacker tricks user into opening malicious payload” as a remote attack, based on the location of the attacker. However, the advisory specifically calls out that “reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.” It’s not clear whether this is a deviation from prior practice by MSRC, an inadvertent mis-assessment, or an unusual-but-correct assessment of an attack vector that relies on details which Microsoft has not made public. Happily, the Preview Pane is not a vector, which raises the bar slightly for an attacker, since the user must explicitly open the malicious file or web page.
Rapid7: Ultimately, although none of the advisories for CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 explicitly come out and say it, it’s likely that exploitation in each case involves tricking Windows into participating in another Mark-of the Web laundering scheme using flaws in old components.
ZDI: CVE-2026-21514 - Microsoft Word Security Feature Bypass Vulnerability. This bug also requires user interaction in the form of opening a Word document, but that’s all that’s required to bypass protections to dangerous COM/OLE controls. Thankfully, the Preview Pane is not an attack vector here. However, users are well known to open lots of documents they receive in e-mail. This bypass could also result in code execution if the right COM/OLE control is hit. This is also listed as publicly known, so add this to the list to test and deploy quickly.
Qualys: CVE-2026-21513: MSHTML Framework Security Feature Bypass Vulnerability The MSHTML Framework (also known as Trident) is a proprietary browser engine developed by Microsoft. It is a software component that renders web pages and other HTML content within applications running on Microsoft Windows. A failure in the MSHTML Framework protection mechanism could allow an unauthenticated attacker to bypass a security feature over a network. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
Tenable: Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)
Tenable: CVE-2026-21513 | MSHTML Framework Security Feature Bypass Vulnerability
Tenable: CVE-2026-21513 is a security feature bypass vulnerability in the MSHTML Framework. It was assigned a CVSSv3 score of 8.8 and rated as important. According to Microsoft, it was both exploited in the wild and publicly disclosed prior to a patch being available. Successful exploitation of this flaw requires an attacker to convince a potential victim into opening either a malicious HTML file or a shortcut (.lnk) file. Like similar security feature bypass flaws, this vulnerability can bypass protection prompts that would caution a user before opening a file.
Rapid7: The venerable MSHTML/Trident web rendering engine is still present in Windows as a daily driver for Office and Explorer, many years after most people stopped using Internet Explorer. Accordingly, every so often Microsoft has to patch another zero-day vulnerability in the browser it can’t quite bring itself to rip out of its flagship operating system. Today’s example is CVE-2026-21513, a security feature bypass which starts with the attacker convincing a user to open a malicious HTML file or shortcut file.
Rapid7: Ultimately, although none of the advisories for CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 explicitly come out and say it, it’s likely that exploitation in each case involves tricking Windows into participating in another Mark-of the Web laundering scheme using flaws in old components.
ZDI: CVE-2026-21513 - Internet Explorer Security Feature Bypass Vulnerability. Although long gone by many measurements, IE does still exist on Windows systems, and calling it always results in a vulnerability somehow. This bug manifests similarly to the Shell bug above, as it requires user interaction but could result in code execution. The bypass here is simply the ability to reach IE, which shouldn’t be possible. Again, test and deploy this fix quickly.
Elevation of Privilege (2)Qualys: CVE-2026-21533: Windows Remote Desktop Services Elevation of Privilege Vulnerability Windows Remote Desktop Services (RDS) is a Microsoft Windows Server technology that allows users to securely access virtualized desktops, applications, and resources from any device, anywhere. An improper privilege management flaw in Windows Remote Desktop could allow an authenticated attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Tenable: CVE-2026-21533 | Windows Remote Desktop Services Elevation of Privilege Vulnerability
Tenable: CVE-2026-21533 is an EoP vulnerability affecting Windows Remote Desktop Services. It was assigned a CVSSv3 score of 7.8, rated as important and was reportedly exploited in the wild. Successful exploitation allows a local, authenticated attacker to elevate to SYSTEM privileges.
Rapid7: Remote Desktop Services (RDP) are designed to allow a duly authorized remote user to interact with the server, but CVE-2026-21533 allows an unauthorized local user to elevate privileges to SYSTEM. Every Windows Server product back as far as Server 2012 receives patches, so this one has been present for a while. It’s possible that today’s patches close off a long-running exploitation story for at least one threat actor.
ZDI: CVE-2026-21533 - Windows Remote Desktop Services Elevation of Privilege Vulnerability. Don’t let the word “Remote” in the title fool you – this is a local bug that allows attackers to run code with SYSTEM privileges. It’s interesting that Microsoft lists “Improper privilege management” as the root cause for this issue. If the system is running Remote Desktop Services, it’s probably a juicy target for attackers to move laterally after an initial breach. Add this one to the list of patches to test and deploy immediately.
Qualys: CVE-2026-21519: Desktop Windows Manager Elevation of Privilege Vulnerability Desktop Window Manager is a system service in Windows (Vista and later) that enables visual effects such as transparency, window animations, and live taskbar thumbnails via GPU hardware acceleration. A type confusion flaw in the Desktop Window Manager may allow an authenticated attacker to elevate privileges locally. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Tenable: CVE-2026-21519 | Desktop Window Manager Elevation of Privilege Vulnerability
Tenable: CVE-2026-21519 is an EoP vulnerability affecting Desktop Window Manager, a Windows service used to render the graphical user interface (GUI) in Windows. It was assigned a CVSSv3 score of 7.8 and rated as important. A local, authenticated attacker could exploit this vulnerability to elevate to SYSTEM privileges. According to Microsoft, this vulnerability was exploited in the wild as a zero-day.
Rapid7: For the second month in a row, the Windows Desktop Windows Manager (DWM) is the site of an exploited-in-the-wild zero-day vulnerability. Last month’s CVE-2026-20805 was an information disclosure vulnerability, effectively a treasure map for threat actors seeking the otherwise obfuscated in-memory address of the kernel-space DWM process. The publication of zero-day elevation of privilege (EoP) vulnerability CVE-2026-21519 today very likely reflects MSTIC and MSRC working to thwart the same threat actor in both cases. As Rapid7 has noted in the past, initial access coupled with local elevation of privilege vulnerabilities is the staple diet of many successful attackers, so the lower CVSS v3 base score of 7.8 seen here versus a broadly equivalent remote code execution is not a sign to delay patching.
ZDI: CVE-2026-21519 - Desktop Window Manager Elevation of Privilege Vulnerability. This is the second month in a row that a DWM was listed as being exploited in the wild. That leads me to believe the first patch didn’t completely resolve the vulnerability. Same as last month, this bug allows attackers to run code with SYSTEM privileges. Bugs of this type are typically paired with a code execution bug to take over a system. As always, Microsoft offers no indication of how widespread these exploits may be.
Denial of Service (1)Qualys: CVE-2026-21525: Windows Remote Access Connection Manager Denial of Service Vulnerability Windows Remote Access Connection Manager is a core Windows service that manages dial-up and Virtual Private Network connections, allowing user computers to securely connect to remote networks, corporate resources, or other devices. A null pointer dereference in Windows Remote Access Connection Manager could allow an unauthenticated attacker to deny service locally. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before March 3, 2026.
Tenable: CVE-2026-21525 | Windows Remote Access Connection Manager Denial of Service Vulnerability
Tenable: CVE-2026-21525 is a denial of service (DoS) vulnerability affecting Windows Remote Access Connection Manager (also known as RasMan), a tool used for the management of multiple remote desktop connections. It was assigned a CVSSv3 score of 6.2, was rated as important and was exploited in the wild. While no information has been released about the exploitation of this DoS, the advisory credits the 0patch vulnerability research team for reporting this flaw.
Rapid7: Exploited in the wild, but perhaps of less concern is CVE-2026-21525, a local denial of service vulnerability in the Windows Remote Access Connection Manager (RasMan). Somewhat unusually for a local vulnerability, the advisory sets out that no privileges are required at all, so even a guest account can exploit this one. You have disabled those guest accounts, right?. Microsoft lifecycle update
ZDI: CVE-2026-21525 - Windows Remote Access Connection Manager Denial of Service Vulnerability. It’s unusual to see DoS bugs being used in active attacks, but that’s what we have here. A null pointer deref in the Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally. Most null pointer derefs cause the application or service to crash, but it’s not clear if it will automatically restart. I would exercise caution and patch quickly either way.
Denial of Service (1)Tenable: Microsoft patched 54 CVEs in its February 2026 Patch Tuesday release, with two rated critical, 51 rated as important and one rated as moderate. We omitted one vulnerability from our counts this month, CVE-2023-2804, a heap based overflow vulnerability in the libjpeg-turbo component.
Remote Code Execution (11)Elevation of Privilege (21)Qualys: CVE-2026-21522: Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability A command injection flaw in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. Upon successful exploitation, an attacker could execute arbitrary commands within the affected ACI container’s context, thereby running code with the same privileges as the compromised container.
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing. CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing. CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
Qualys: Other Microsoft Vulnerability Highlights CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing. CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
Information Disclosure (5)Qualys: CVE-2026-23655: Microsoft ACI Confidential Containers Information Disclosure Vulnerability Upon successful exploitation of the vulnerability, an attacker could disclose the secret tokens and keys.
Security Feature Bypass (2)Denial of Service (1)Cross Site Scripting (1)Spoofing (6)Qualys: Other Microsoft Vulnerability Highlights CVE-2026-21511 is a spoofing vulnerability in Microsoft Outlook. Deserialization of untrusted data in Microsoft Office Outlook may allow an unauthenticated attacker to perform network spoofing. CVE-2026-21253 is an elevation of privilege vulnerability in the Mailslot File System. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. CVE-2026-21241 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21238 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privileges. CVE-2026-21231 is an elevation of privilege vulnerability in the Windows Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Insight generated by Agent Sara, part of Qualys Enterprise TruRisk Management (ETM), which autonomously prioritizes and remediates risk across your environment.
Tenable: CVE-2026-21511 | Microsoft Outlook Spoofing Vulnerability
Tenable: CVE-2026-21511 is a spoofing vulnerability affecting Microsoft Outlook. It was assigned a CVSSv3 score of 7.5 and was rated as important. The spoofing vulnerability is the result of a deserialization of untrusted data flaw, which an attacker can trigger using a crafted email. Microsoft notes that the preview pane is an attack vector for this flaw. CVE-2026-21511 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.
Unknown Vulnerability Type (1)