Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six “zero-day” vulnerabilities that attackers are already exploiting in the wild.
Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21510 affects all currently supported versions of Windows.
The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass in Microsoft Word.
The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services. CVE-2026-21519 is a zero-day elevation of privilege flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Microsoft fixed a different zero-day in DWM just last month.
The sixth zero-day is CVE-2026-21525, a potentially disruptive denial-of-service vulnerability in the Windows Remote Access Connection Manager, the service responsible for maintaining VPN connections to corporate networks.
Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday. On January 17, Microsoft pushed a fix that resolved a credential prompt failure when attempting remote desktop or remote application connections. On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.
Kev Breen at Immersive notes that this month’s Patch Tuesday includes several fixes for remote code execution vulnerabilities affecting GitHub Copilot and multiple integrated development environments (IDEs), including VS Code, Visual Studio, and JetBrains products. The relevant CVEs are CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256.
Breen said the AI vulnerabilities Microsoft patched this month stem from a command injection flaw that can be triggered through prompt injection, or tricking the AI agent into doing something it shouldn’t — like executing malicious code or commands.
“Developers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets that function as keys to critical infrastructure, including privileged AWS or Azure API keys,” Breen said. “When organizations enable developers and automation pipelines to use LLMs and agentic AI, a malicious prompt can have significant impact. This does not mean organizations should stop using AI. It does mean developers should understand the risks, teams should clearly identify which systems and workflows have access to AI agents, and least-privilege principles should be applied to limit the blast radius if developer secrets are compromised.”
The SANS Internet Storm Center has a clickable breakdown of each individual fix this month from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on wonky updates. Please don’t neglect to back up your data if it has been a while since you’ve done that, and feel free to sound off in the comments if you experience problems installing any of these fixes.
What an ugly group of bugs they’ve broadcast this month.
Just in time to install them on a shiny new VirtualBox instance of 10 Pro in lieu of 11. I wonder if Micro$lop is feeling the pain of vibe coding…
I spent the last 24 hours thinking, ‘yeah, I need to test these bugs/exploits in an .ova too’… then I realized you meant install the PATCHES on virtualbox instances. (Unrelated: Still hate the way virtualbox’s display drivers and scaling appear, compared to vmware).
I haven’t had an Microsoft patch brick a windows install in years, though I get only running windows virtualized. Kind of a memory hog, though.
The DWM bug looks gnarly, there.
Where is that secure operating system Microsoft promised us 12 years ago? I distinctly remember it was advertised as the most secure operating system ever. That may have been true till they released the first preview release in 2014.
I kinda think at one point QNX had the potential to be that, though that was back in the 90s. I don’t think anything has the potential to be that now, nor is there any solution en route. I suspect people really think their AIs will want to create OSes for humans, but I don’t think that’d work out too well, in practice. Not sure how people think ‘patches’ will work out then, either. o_0
I really don’t want to see more human/machine crossovers, at any rate.
Wonder what all of us with computing careers expect to make when patching as it was for the past few decades is gone.
Won’t be a roofing job or whatever like in Office Space, either.
Thanks for the analysis – very helpful.
I switched to Linux rather than pay any more to MS or buy a new PC. (I am using pc’s at home on a WiFi network and pretty much nothing else.) I wonder, if somebody feels like it, can they give me a polite answer to this question? It seems every month that Windows gets upwards of 50+ patches. Does Linux have the same volume of fixes? I have been very happy with the system so far. Am I at higher risk that I even know about?
Linux has bugs, also linux has many distros all of which have different paces of bug and security fixes, and some distros are distros based on other distros so inherit some or all bugs, bug and security fixes. In short you’d have to look up what your particular choice of linux does, we can’t answer that for you. One slightly confusing issue is that some fixes can be backported.
I have some linux mint installs here on too-old-to-run win 11 boxes, which I do whenever a computer gets a single task that a linux version of an application exists that can be used and I don’t have a budget. I’m actually now being limited by spare monitors.
They seem to look after updating themselves pretty unobtrusively, and the lack of distractions on the desktop is really something I appreciate, when the computer is only supposed to be doing 1 thing. The RMM I use recently added linux support, so I can have them in the same console as the windows 11 computers for management purposes (including verifying they are patched).
Nobody attacks linux, both because it is not as popular and because you do not mess with Richard Stallman or the FSF or you will be on the recieving end of those katanas from XKCD.
Nobody attacks linux lol.
Comparing linux to MS Windows isn’t apples-to-apples. Linux is an operating system. MS Windows includes proprietary applications bundled with an operating system. Whatever version of linux you’ve installed, it’s your computer’s operating system; the applications you’ve installed are separate and distinct. Note that many of the updates mentioned in this article are updates to applications, not to Windows. I don’t consider myself to be a linux or a Windows ‘expert’ — whatever that means — but I think I know enough to keep my nose above water. You didn’t mention the specific version of linux you’re using. All versions of linux can be manually updated using commands in a terminal. Updating linux can use a broad brush — updating both the operating system and installed applications — or it can be selective. (In Windows, editing ‘autoruns’ can — somewhat — accomplish this too.) Some versions of linux automate updating. Some versions of linux offer a graphic alternative to commands in a terminal. Some versions of linux implement automated updating in the background while others alert users to the availability of updates; the user toggles when to apply them. I know I’ve added some confusion; I hope I’ve added some clarity.
Linux (whatever distro) can be made totally insecure, and Windows (name your version) can be made reasonably secure. It all depends on your curiosity and time invested. Reading Krebs blog is one pursuit, but in no way answers all the questions. I’ve been doing this for over 30 years and have never been compromised. YAMMV.
“This does not mean organizations should stop using AI.”
This does not mean children should not play with stove.
Wait, you’re saying it means that maybe children should play with stove?
Bit unsure I agree with the previous suggestion about organizations being alright using AI though.
Don’t you ever wonder what could happen if an AI gets bored?
You ain’t nothin’ but a sockpuppet,
Cryin’ all the time.
you ain’t nothin’ but a rotted small order of hush pupps inside of a network socket.
what?
You ain’t never caught a hacker,
And you ain’t no friend of mine.