Overview
- The release fixes roughly 58–59 vulnerabilities across Windows, Office and cloud services, with six zero-days confirmed as exploited in the wild.
- Three publicly disclosed security feature bypasses — CVE-2026-21510 (SmartScreen/Windows Shell), CVE-2026-21513 (MSHTML/IE) and CVE-2026-21514 (Word/OLE) — remove or weaken user prompts and heighten phishing risk.
- Three local-impact zero-days — CVE-2026-21519 (Desktop Window Manager) and CVE-2026-21533 (Remote Desktop Services) for privilege escalation, plus CVE-2026-21525 (Remote Access Connection Manager) for local denial of service — can aid post-compromise takeover and disrupt VPN connectivity.
- CISA added all six flaws to its Known Exploited Vulnerabilities catalog and required Federal Civilian Executive Branch agencies to remediate by March 3, 2026.
- Microsoft credited Google’s Threat Intelligence Group, its internal teams and other researchers for discovery, and CrowdStrike observed CVE-2026-21533 in use against U.S. and Canadian targets since December 24, 2025, as additional fixes also covered Azure, Exchange and developer tools.