Microsoft on Tuesday launched safety updates to handle a set of 59 flaws throughout its software program, together with six vulnerabilities that it stated have been exploited within the wild.
Of the 59 flaws, 5 are rated Vital, 52 are rated Essential, and two are rated Average in severity. Twenty-five of the patched vulnerabilities have been labeled as privilege escalation, adopted by distant code execution (12), spoofing (7), info disclosure (6), safety characteristic bypass (5), denial-of-service (3), and cross-site scripting (1).
It is value noting that the patches are along with three safety flaws that Microsoft has addressed in its Edge browser because the launch of the January 2026 Patch Tuesday replace, together with a Average vulnerability impacting the Edge browser for Android (CVE-2026-0391, CVSS rating: 6.5) that might permit an unauthorized attacker to carry out spoofing over a community by benefiting from a “user interface misrepresentation of critical information.”
Topping the listing of this month’s updates are six vulnerabilities which have been flagged as actively exploited –
- CVE-2026-21510 (CVSS rating: 8.8) – A safety mechanism failure in Home windows Shell that enables an unauthorized attacker to bypass a safety characteristic over a community.
- CVE-2026-21513 (CVSS rating: 8.8) – A safety mechanism failure in MSHTML Framework that enables an unauthorized attacker to bypass a safety characteristic over a community.
- CVE-2026-21514 (CVSS rating: 7.8) – A reliance on untrusted inputs in a safety resolution in Microsoft Workplace Phrase that enables an unauthorized attacker to bypass a safety characteristic domestically.
- CVE-2026-21519 (CVSS rating: 7.8) – An entry of useful resource utilizing incompatible kind (‘kind confusion’) within the Desktop Window Supervisor that enables a licensed attacker to raise privileges domestically.
- CVE-2026-21525 (CVSS rating: 6.2) – A null pointer dereference in Home windows Distant Entry Connection Supervisor that enables an unauthorized attacker to disclaim service domestically.
- CVE-2026-21533 (CVSS rating: 7.8) – An improper privilege administration in Home windows Distant Desktop that enables a licensed attacker to raise privileges domestically.
Microsoft’s personal safety groups and Google Risk Intelligence Group (GTIG) have been credited with discovering and reporting the primary three flaws, which have been listed as publicly recognized on the time of launch. There are at the moment no particulars on how the vulnerabilities are being exploited, and in the event that they have been weaponized as a part of the identical marketing campaign.
“CVE-2026-21513 is a security feature bypass vulnerability in the Microsoft MSHTML Framework, a core component used by Windows and multiple applications to render HTML content,” Jack Bicer, director of vulnerability analysis at Action1, stated. “It is caused by a protection mechanism failure that allows attackers to bypass execution prompts when users interact with malicious files. A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click.”
Satnam Narang, senior employees analysis engineer at Tenable, stated CVE-2026-21513 and CVE-2026-21514 bear a “lot of similarities” to CVE-2026-21510, the primary distinction being that CVE-2026-21513 may also be exploited utilizing an HTML file, whereas CVE-2026-21514 can solely be exploited utilizing a Microsoft Workplace file.
As for CVE-2026-21525, it is linked to a zero-day that ACROS Safety’s 0patch service stated it found in December 2025 whereas investigating one other associated flaw in the identical element (CVE-2025-59230).
“These [CVE-2026-21519 and CVE-2026-21533] are local privilege escalation vulnerabilities, which means an attacker must have already gained access to a vulnerable host,” Kev Breen, senior director of cyber risk analysis at Immersive, instructed The Hacker Information by way of e-mail. “This could occur through a malicious attachment, a remote code execution vulnerability, or lateral movement from another compromised system.”
“Once on the host, the attacker can use these escalation vulnerabilities to elevate privileges to SYSTEM. With this level of access, a threat actor could disable security tooling, deploy additional malware, or, in worst-case scenarios, access secrets or credentials that could lead to full domain compromise.”
The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) so as to add all six vulnerabilities to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Govt Department (FCEB) businesses to use the fixes by March 3, 2026.
The replace additionally coincides with Microsoft rolling out up to date Safe Boot certificates to exchange the unique 2011 certificates that may expire in late June 2026. The brand new certificates might be put in by way of the common month-to-month Home windows replace course of with none extra motion.
“If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running,” the tech big stated. “However, the device will enter a degraded security state that limits its ability to receive future boot-level protections.”
“As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot–dependent software may fail to load.”
In tandem, the corporate stated it is also strengthening default protections in Home windows by way of two safety initiatives, Home windows Baseline Safety Mode and Consumer Transparency and Consent. The updates come beneath the purview of the Safe Future Initiative and Home windows Resiliency Initiative.
“With Windows Baseline Security Mode, Windows will move toward operating with runtime integrity safeguards enabled by default,” it famous. “These safeguards ensure that only properly signed apps, services, and drivers are allowed to run, helping to protect the system from tampering or unauthorized changes.”
Consumer Transparency and Consent, analogous to Apple macOS Transparency, Consent, and Management (TCC) framework, goals to introduce a constant method to dealing with safety choices. The working system will immediate customers when apps attempt to entry delicate assets, corresponding to information, the digital camera, or the microphone, or after they try to put in different unintended software program.
“These prompts are designed to be clear and actionable, and you’ll always have the ability to review and change your choices later,” Logan Iyer, Distinguished Engineer at Microsoft, stated. “Apps and AI agents will also be expected to meet higher transparency standards, giving both users and IT administrators better visibility into their behaviors.”
