InfoSecBulletin Cybersecurity for mankind
Today is Microsoft’s February 2026 Patch Tuesday, featuring security updates for 58 flaws, including 6 that are actively exploited and 3 publicly disclosed zero-day vulnerabilities.
This Patch Tuesday fixes five “Critical” vulnerabilities: three elevate privileges and two disclose information. The details of vulnerabilities by category are as follows:
WhatsApp to allow usernames instead of phone numbers
Linux Unveils New Open Source Security Project “Akrites” For (OSS) Ecosystem
Data breach affects 14.2 million email logins across six ISPs
Asian Two AI startups launch Mythos-like Model
Polymarket Hack Reportedly Results in $3 Million Theft
Anthropic Confirms US Infrastructure Redeployment of Claude Mythos 5
Hackers Target Cloudflare-Hosted AWS Domains to Steal Console Logins
Daily Cyber security update for 26. 06. 2026
WhatsApp to Alert Users Before Chatting With New Numbers
OpenAI unveils its first custom chip, Named Jalapeño
25 Elevation of Privilege vulnerabilities
5 Security Feature Bypass vulnerabilities
12 Remote Code Execution vulnerabilities
6 Information Disclosure vulnerabilities
3 Denial of Service vulnerabilities
7 Spoofing vulnerabilities
The zero-days are:
CVE-2026-21510: a Windows SmartScreen and Windows Shell security prompts bypass that can be exploited by convincing the targeted user to open a malicious link or shortcut file.
CVE-2026-21514: a vulnerability that allows an attacker to bypass OLE mitigations in Microsoft 365 and Office by tricking the target into opening a malicious Office file.
CVE-2026-21513: an Internet Explorer issue that allows an attacker to bypass security controls and potentially execute code by convincing the victim to open a malicious HTML or LNK file.
CVE-2026-21519: a Windows Desktop Window Manager flaw that can be exploited by a local attacker for privilege escalation.
CVE-2026-21533: a Windows Remote Desktop Services vulnerability that allows an attacker to escalate privileges to System.
CVE-2026-21525: a Windows Remote Access Connection Manager bug that can be exploited for local DoS attacks.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, told SecurityWeek, “The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group. While CrowdStrike does not currently attribute this activity to a specific target or adversary, threat actors possessing the exploit binaries will likely accelerate their attempts to use or sell CVE-2026-21533 in the near term.”
Mitja Kolsek, CEO of Acros Security, told SecurityWeek, “We found an exploit for this issue in December 2025 in a public malware repository while searching for an exploit for CVE-2025-59230. This issue turned out to be a 0day at the time, so we patched it and reported it to Microsoft. We don’t have any information on it having been exploited, but the quality of the combined exploit for both issues suggested professional work.”
