Microsoft Patch Tuesday for February 2026 — Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for February 2026, which includes 59 vulnerabilities affecting a range of products, including two that Microsoft marked as “Critical”. 

CVE-2026-21522 is a critical elevation of privilege vulnerability affecting Microsoft ACI Confidential Containers. Successful exploitation of this vulnerability could enable an authorized attacker to escalate privileges on affected systems. This vulnerability is not listed as publicly disclosed and received a CVSS 3.1 score of 6.7.  

CVE-2026-23655 is a critical information disclosure vulnerability affecting Microsoft ACI Confidential Containers. This vulnerability could enable an authorized attacker to disclose sensitive information including secret tokens and keys if successfully exploited. This vulnerability is not listed as publicly disclosed and received a CVSS 3.1 score of 6.5. 

In this month’s release, Microsoft reported active exploitation of five vulnerabilities rated as “Important”. Additionally, one “Moderate” vulnerability, CVE-2026-21525, was also listed as being actively exploited. CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 have also been publicly disclosed. 

CVE-2026-21510 is a security feature bypass vulnerability affecting Windows Shell. Successful exploitation of this vulnerability could allow an unauthenticated attacker to bypass a security feature on affected systems. This vulnerability could be exploited by convincing a user to open a malicious shortcut or link file, enabling them to bypass Windows SmartScreen and Windows Shell security prompts. 

CVE-2026-21513 is a security feature bypass vulnerability affecting MSHTML Framework. This vulnerability could be exploited by convincing a user to open a specially crafted HTML or LNK file, allowing an attacker to bypass security features and achieve code execution. This vulnerability received a CVSS 3.1 score of 8.8. 

CVE-2026-21514 affects Microsoft Office Word and results from reliance on untrusted input, enabling an unauthorized attacker to bypass security protections locally. Exploitation requires user interaction, typically by persuading a user to open a malicious Office document, and may bypass OLE mitigation mechanisms designed to protect against vulnerable COM/OLE controls. 

CVE-2026-21519 is a type confusion vulnerability in the Desktop Window Manager that allows an authenticated attacker to elevate privileges locally, potentially gaining full SYSTEM-level access. 

CVE-2026-21533 is an elevation of privilege vulnerability affecting Windows Remote Desktop Services. This vulnerability is due to improper privilege management and could enable an attacker to escalate privileges on affected systems. Successful exploitation of this vulnerability could grant an attacker SYSTEM level privileges on the system. 

CVE-2026-21525 is a moderate denial-of-service vulnerability affecting Windows Remote Access Connection Manager. This vulnerability is due to a null pointer dereference that could allow an unauthorized attacker to create a denial-of-service condition on affected systems. This vulnerability has not been publicly disclosed and received a CVSS 3.1 rating of 6.2.

Talos would also like to highlight the following “important” vulnerabilities affecting Microsoft Azure, Notepad, various GitHub Copilot components, and Hyper-V. 

CVE-2026-21228 is an improper certificate validation issue in Azure Local that allows an unauthorized attacker to execute code over the network; successful exploitation may result in a scope change, enabling interaction with other tenants’ applications and data. An attacker could exploit this flaw by intercepting unsecured communication between the configurator application and target systems, tampering with responses to trigger command injection with administrative privileges, and subsequently extracting Azure tokens from application logs to facilitate lateral movement within the cloud environment. 

CVE-2026-20841 addresses an RCE vulnerability in Microsoft Notepad. This issue could allow an attacker to entice a user into clicking a malicious link within a Markdown file opened in Notepad, resulting in the launch of untrusted protocols that download and execute remote content. 

CVE-2026-21244 and CVE-2026-21248 affect Windows Hyper-V and enable unauthorized attackers to achieve arbitrary code execution locally. Exploitation requires local code execution, commonly by convincing a user to open a malicious Office file. 

Several RCE vulnerabilities were also identified in GitHub Copilot, including CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256. CVE-2026-21516 is a locally exploitable arbitrary code execution vulnerability in GitHub Copilot for JetBrains, requiring code execution on the affected system. For CVE-2026-21523, Microsoft has provided limited details beyond indicating a network attack vector. CVE-2026-21256 is a command injection vulnerability caused by improper handling of special characters, enabling unauthorized remote code execution in GitHub Copilot and Visual Studio Code. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.     

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65895-65900, 65902, 65903, 65906-65911, 65913, 65914, 65923, 65924. 

The following Snort 3 rules are also available: 301395-301403. 

Cisco Talos Blog – ​Read More