U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Office and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Microsoft Office and Microsoft Windows flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2026-21510 Microsoft Windows Shell Protection Mechanism Failure Vulnerability
- CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability
- CVE-2026-21514 Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
- CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability
- CVE-2026-21525 Microsoft Windows NULL Pointer Dereference Vulnerability
- CVE-2026-21533 Windows Remote Desktop Services Elevation of Privilege Vulnerability
This week, Microsoft Patch Tuesday security updates for February 2026 fixed 58 new security flaws across Windows, Office, Azure, Edge, Exchange, Hyper-V, WSL, and other components, rising to 62 CVEs when third-party updates are included. Six flaws addressed this month are actively exploited in the wild, three of them publicly known.
Below is the description of the vulnerabilities addressed by the IT giant and that CISA added to the catalog:
- CVE-2026-21510 (CVSS score of 7.5 – High)
A Windows SmartScreen and Shell prompt bypass that allows attackers to evade security warnings by tricking users into opening a crafted malicious link or shortcut file. - CVE-2026-21513 (CVSS score of 8.8 – High)
An Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file. - CVE-2026-21514 (CVSS score of 8.1 – High)
A Microsoft 365 and Office flaw that bypasses OLE security mitigations, enabling malicious activity when a specially crafted Office document is opened. - CVE-2026-21519 (CVSS score of 7.8 – High)
A Windows Desktop Window Manager vulnerability that enables local privilege escalation and elevated system access. - CVE-2026-21525 (CVSS score of 6.5 – Medium)
A Windows Remote Access Connection Manager bug that can be abused by a local attacker to cause a denial-of-service condition. - CVE-2026-21533 (CVSS score of 8.8 – High)
A Windows Remote Desktop Services vulnerability that allows attackers to escalate privileges to SYSTEM.
Microsoft labeled CVE-2026-21510, CVE-2026-21514 and CVE-2026-21513 as “publicly disclosed”.
The company credited Google Threat Intelligence Group, its internal security teams, and an anonymous researcher for discovering CVE-2026-21510 and CVE-2026-21514, while Microsoft and GTIG reported the vulnerability CVE-2026-21513.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by March 3rd, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)