February 2026 Patch Tuesday: What you need to know
February’s Patch Tuesday is not defined by volume, but by how exploitation conditions are shifting in favor of attackers. This release stands out for several vulnerability patterns that materially increase enterprise risk and warrant closer attention.
Watch now: Patch Tuesday February 2026 Webinar
Preview Pane Remains a High-Risk Attack Vector
This month includes multiple Microsoft Outlook vulnerabilities, with Microsoft explicitly confirming the Preview Pane as an attack vector. The following vulnerabilities are affected:
· CVE-2026-21260 - Microsoft Outlook Spoofing Vulnerability
Malicious email content can be processed via the Preview Pane, allowing spoofing or information exposure without the user opening the message.
· CVE-2026-21511 - Microsoft Outlook Spoofing Vulnerability
Deserialization of untrusted data in Outlook can be triggered through email preview, reducing user interaction requirements and expanding the attack surface.
In these cases, malicious content can be automatically processed during preview, with no attachment opening or user action required. Preview Pane vulnerabilities significantly reduce user interaction barriers and should be treated as a structural risk rather than an edge case.
"Scope Changed" Vulnerabilities Increase Blast Radius
February also includes multiple vulnerabilities marked as Scope = Changed, meaning successful exploitation can impact resources beyond the initially vulnerable component. The following vulnerabilities are explicitly affected:
· CVE-2026-21231 - Windows Win32k Elevation of Privilege Vulnerability
Allows exploitation to cross a security boundary, increasing the potential for privilege escalation and broader system impact.
· CVE-2026-21255 - Windows Hyper-V Security Feature Bypass Vulnerability
A scope change enables attackers to affect additional system resources, making this vulnerability particularly valuable for lateral movement in virtualized environments.
· CVE-2026-24302 - Azure Arc Elevation of Privilege Vulnerability
This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.
“Scope Changed” vulnerabilities act as risk amplifiers and should be prioritized accordingly, even where severity ratings appear moderate.
Exploited Vulnerabilities Require Immediate Attention
February also includes vulnerabilities confirmed as exploited. Once exploitation is confirmed, prioritization debates end. These represent known attacker activity; in this case, the CVSS scoring and exploitability assessments become secondary.
· CVE-2026-21510 - Windows Shell Security Feature Bypass Vulnerability
An attacker could bypass Windows SmartScreen and Windows Shell security prompts by exploiting improper handling in Windows Shell components, allowing attacker-controlled content to execute without user warning or consent.
· CVE-2026-21513 - MSHTML Framework (Internet Explorer) Security Feature Bypass Vulnerability
Protection mechanism failure in Internet Explorer allows an unauthorized attacker to bypass a security feature over a network.
· CVE-2026-21514 - Microsoft Word Security Feature Bypass Vulnerability
Reliance on untrusted inputs in a security decision in Microsoft Word allows an unauthorized attacker to bypass a local security feature.
Key Takeaway
February reinforces a consistent message seen in recent months: reduced user interaction, expanded blast radius, and confirmed exploitation are increasingly converging. Organizations that prioritize trigger conditions, scope changes, and exploitation status will be better positioned than those relying solely on severity ratings.
Practical Recommendations
1. Prioritize Office patching across all endpoints, shared mailboxes, and VDI environments.
2. Fast-track scope-changing Windows fixes, even when rated "Important."
3. Leverage Endpoint Resilience: Absolute Secure Endpoint enables rapid rehydration to a golden image, restoring thousands of devices in hours rather than days, through firmware-embedded persistence.
When attack chains succeed, the organizations that recover fastest are the ones that limit business impact.
Patch smart. Build resilience. Happy patching.
See the Feb 2026 Patch Tuesday Chart (PDF).
Rob Brown Senior Director of Technical Services Absolute Security
