Microsoft has released fixes for six newly-classified zero-day common vulnerabilities and exposures (CVEs) on the second monthly Patch Tuesday of 2026, amid a release comprising over 50 flaws that run the full gamut of Microsoft’s product suite.
Although the total number of flaws is down by about half on January’s bumper crop, it is about on par for this time of year, explained Dustin Childs of Trend Micro’s Zero Day Initiative (ZDI), however, he added, the number under active attack is “extraordinarily high”.
Indeed, with all six zero-days under active exploitation in the wild, and three of them already made public, Childs noted: “We’ll see if we’re on our way to another ‘hot exploit summer’ as we saw a few years ago or if this is just an aberration.”
The three ‘classic’ zero-days are all security feature bypass (SFB) vulnerabilities, tracked variously as CVE-2026-21510 in Windows SmartScreen, CVE-2026-21514 in Microsoft Word, and CVE-2026-21513 in Internet Explorer.
The three zero-days for which exploit proofs of concept (PoCs) have not yet been made public are tracked as CVE-2026-21519, an elevation of privilege (EoP) flaw in Desktop Window Manager, CVE-2026-21525, a denial of service (DoS) flaw in Windows Remote Access Connection Manager, and finally, CVE-2026-21533, an EoP flaw in Windows Remote Desktop Services.
Seth Hoyt, senior security engineer at endpoint security platform Automox, said the flaw in Windows Shell was particularly dangerous because its effect is essentially to neutralise the important SmartScreen feature in Microsoft Defender.
“SmartScreen serves as a critical checkpoint: when you download an executable or document, it prompts you to confirm whether you trust the source. This bypass removes that checkpoint entirely,” he said. “Files from the internet execute without triggering the usual warning dialog, giving attackers a clean path to run malicious code once a user clicks a phishing link.
“The attack still requires user interaction, but with one less security prompt in the way, the barrier to successful exploitation drops considerably,” said Hoyt.
Beyond patching, he advised defenders to be alert to unusual cmd.exe or PowerShell activity in the wake of a file download, or odd processes spawning from files in Downloads or temporary directories that do not have corresponding SmartScreen events logged. It is also worth applying endpoint hardening measures such as Attack Surface Reduction rules.
Hoyt added that CVE-2026-21514 works in a similar fashion and should be treated in the same terms.
Meanwhile, Jack Bicer, vulnerability research director at patch management specialist Action1, turned to the MSHTML Framework flaw in Internet Explorer, CVE-2026-21513.
“The MSHTML Framework [is] a core component used by Windows and multiple applications to render HTML content,” he said. “[CVE-2026-21513] is caused by a protection mechanism failure that allows attackers to bypass execution prompts when users interact with malicious files. A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click.
“Exploitation occurs over the network and requires user interaction, such as opening a malicious HTML file or clicking a shortcut delivered via email, link, or download. No privileges are required by the attacker,” he added.
Bicer explained that such SFB flaws significantly increase the success rate of phishing and campaigns that ultimately have impacts far beyond embarrassment for the one person who accidentally clicked on something without thinking. In enterprise environments they become a gateway to a whole host of nasties, including unauthorised code execution, malware and ransomware deployment, credential and data theft, and other compromises.
Deep dependence
Coming a month after January’s blockbuster Patch Tuesday, Cory Simpson, senior advisor to the Cyberspace Solarium Commission and a former advisor to the US Special Operations Command, said that 2026 was already off to a concerning start.
He described the situation on the ground as standing in “stark contrast” to the picture painted in Microsoft’s November 2025 Secure Future Initiative report, which hailed the idea of ‘security above all else’ as a guiding principle at Redmond.
“Patch volumes like today’s, six active zero-days, reflect the structural risk created by deep dependence on Microsoft across enterprise environments,” Simpson told Computer Weekly.
“Security leadership starts with baseline hygiene and extends to resilience-by-design: diversified dependencies, reduced concentration risk, and architectures built to operate under persistent vulnerability discovery,” he said.
