Today is Microsoft’s February 2026 Patch Tuesday with security updates for 58 flaws, including 6 actively exploited and three publicly disclosed zero-day vulnerabilities.

This Patch Tuesday also addresses five “Critical” vulnerabilities, 3 of which are elevation of privileges flaws and 2 information disclosure flaws.

The number of bugs in each vulnerability category is listed below:

• 25 Elevation of Privilege vulnerabilities
• 5 Security Feature Bypass vulnerabilities
• 12 Remote Code Execution vulnerabilities
• 6 Information Disclosure vulnerabilities
• 3 Denial of Service vulnerabilities
• 7 Spoofing vulnerabilities

When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include 3 Microsoft Edge flaws fixed earlier this month.

As part of these updates, Microsoft has also begun to roll out updated Secure Boot certificates to replace the original 2011 certificates that are expiring in late June 2026.

“With this update, Windows quality updates include a broad set of targeting data that identifies devices and their ability to receive new Secure Boot certificates,” explains Microsoft in the Windows 11 update notes.

“Devices will receive the new certificates only after they show sufficient successful update signals, which helps ensures a safe and phased rollout.”

To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5077181 & KB5075941 cumulative updates and the Windows 10 KB5075912 extended security update.

6 actively exploited zero-days

This month’s Patch Tuesday fixes six actively exploited vulnerabilities, three of which are publicly disclosed.

Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.

The six actively exploited zero-days are:

CVE-2026-21510 – Windows Shell Security Feature Bypass Vulnerability

Microsoft has patched an actively exploited Windows security feature bypass that can be triggered by opening a specially crafted link or shortcut file.

“To successfully exploit this vulnerability, an attacker must convince a user to open a malicious link or shortcut file.” explains Microsoft.

“An attacker could bypass Windows SmartScreen and Windows Shell security prompts by exploiting improper handling in Windows Shell components, allowing attacker‑controlled content to execute without user warning or consent,” continued Microsoft.

While Microsoft has not shared further details, it likely allows attackers to bypass the Mark of the Web (MoTW) security warnings.

Microsoft has attributed the discovery of the flaw to Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, Google Threat Intelligence Group, and an anonymous researcher.

CVE-2026-21513 – MSHTML Framework Security Feature Bypass Vulnerability

Microsoft has patched an actively exploited MSHTML security feature bypass flaw in Windows.

“Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network,” explains Microsoft.

There are no details on how this was exploited.

This flaw was once again attributed to Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, and Google Threat Intelligence Group.

CVE-2026-21514 – Microsoft Word Security Feature Bypass Vulnerability

Microsoft has patched a security feature bypass flaw in Microsoft Word that is actively exploited.

“An attacker must send a user a malicious Office file and convince them to open it,” warns Microsoft’s advisory.

“This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE control,” continues Microsoft.

Microsoft says that the flaw cannot be exploited in the Office Preview Pane.

The flaw was again attributed to Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), Office Product Group Security Team, Google Threat Intelligence Group, and an anonymous researcher.

As no details have been released, it is unclear if CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 were exploited in the same campaign.

CVE-2026-21519 – Desktop Window Manager Elevation of Privilege Vulnerability

Microsoft has patched an actively exploited elevation of privileges flaw in the Desktop Window Manager.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” warns Microsoft.

No details have been shared on how it was exploited.

Microsoft has attributed the discovery of the flaw to Microsoft Threat Intelligence Center (MSTIC) & Microsoft Security Response Center (MSRC).

CVE-2026-21525 – Windows Remote Access Connection Manager Denial of Service Vulnerability

Microsoft fixed an actively exploited denial of service flaw in the Windows Remote Access Connection Manager.

“Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally,’ explains Microsoft.

Microsoft has attributed the discovery of the flaw to the ACROS Security team with 0patch.

ACROS CEO Mitja Kolsek told BleepingComputer that the exploit was found in a public malware repository but is unsure how it is being exploited in attacks.

“We found an exploit for this issue in December 2025 in a public malware repository while searching for an exploit for CVE-2025-59230,” Kolsek told BleepingComputer.

“This issue turned out to be a 0day at the time, so we patched it (blog.0patch.com/2025/12/free-micropatches-for-windows-remote.html) and reported it to Microsoft. We don’t have any information on it having been exploited, but the quality of the combined exploit for both issues suggested professional work.”

CVE-2026-21533 – Windows Remote Desktop Services Elevation of Privilege Vulnerability

Microsoft has fixed an elevation of privileges in Windows Remote Desktop Services.

“Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally,” explains Microsoft.

Microsoft has attributed the discovery of the flaw to the Advanced Research Team at CrowdStrike.

CrowdStrike told BleepingComputer that the exploit they observed allows threat actors to add a new user to the Administrator group.

“The CVE-2026-21533 exploit binary modifies a service configuration key, replacing it with an attacker-controlled key, which could enable adversaries to escalate privileges to add a new user to the Administrator group,” Adam Meyers, Head of Counter Adversary Operations, CrowdStrike, told BleepingComputer.

“While CrowdStrike does not currently attribute this activity to a specific target or adversary, threat actors possessing the exploit binaries will likely accelerate their attempts to use or sell CVE-2026-21533 in the near term.”

Of the six zero-days, CVE-2026-21513, CVE-2026-21510, and CVE-2026-21514 were publicly disclosed.

Recent updates from other companies

Other vendors who released updates or advisories in February 2026 include:

While not a security update, Microsoft has started rolling out built-in Sysmon functionality in Windows 11 insider builds, which many Windows admins will find useful.

The February 2026 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the February 2026 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Update 2/10/26: Added information about how CVE-2026-21533 and CVE-2026-21525 are exploited.

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Advertisement

Get the guide

2026 is set to be a huge year for Valve, as the brand behind Steam and the brilliant Steam Deck is set to launch exciting new additions to its hardware line-up.

There’s the Steam Machine, Steam Controller and, notably, the Steam Frame which is Valve’s first foray into VR headsets. Although Valve is yet to reveal how much the Steam Frame will cost, nor when we’ll be able to get our hands on the headset, its specs have been revealed.

Keep reading to learn more about the upcoming Steam Frame, including its rumoured price and release date to its confirmed tech specs. Make sure you also visit our list of the best game consoles to enhance your gaming set-up. 

Last updated: February 10th 2026 with updates from Valve on pricing and launch date

Steam Frame at a Glance

• Set to launch within the first half of 2026
• Exact launch date and pricing is still yet to be determined by Valve
• Delayed announcements blamed on RAM prices and shortages crisis
• Wireless VR headset
• Available in two sizes: 256GB and 1TB
• Runs on 2024’s mobile flagship processor, Snapdragon 8 Gen 3
• Eye-tracking technology
• Powered by SteamOS
• Comes equipped with dual controllers for playing non-VR games

Advertisement

Steam Frame price rumours

Despite announcing the hardware back in November 2025, Valve has still not disclosed how much the Steam Frame, nor any of the upcoming devices, will cost. However, Valve has now addressed this in a recent statement (February 4th) and, as predicted, the ongoing memory shortages are to blame for the lack of information.

Essentially, Valve said that due to the limited availability and rising prices of critical components, the brand needs to “revisit [its] exact shipping schedule and pricing”. So, while Valve had originally expected to have revealed the price and launch date by now, the crisis has delayed this. This perhaps isn’t surprising, as RAM prices have been dominating headlines for the past few weeks, and the lack of update from Valve was starting to raise eyebrows.

It’s worth noting that Valve hasn’t explicitly stated that it needs to increase the price of any upcoming Steam hardware, although of course we didn’t know for sure what the RRP was going to be in the first place. While it’s unavoidable that the Steam Frame will cost more than we hoped, this does remain unconfirmed.

If you’ve been keeping track of the rumours surrounding the Steam Frame, then you’ll likely have seen that listings for the VR headset and the Steam Machine were discovered on a Czech online retailer, Smarty. While there wasn’t any price on the listing, internet sleuths inspected the site and found prices within its code. Seriously. 

As reported by The Mysticle’s YouTube, the Steam Frame was listed for 17900 CZK (256GB) and 21990 CZK (1TB). That roughly converts to around $860 and $1060. Of course, we don’t know whether that was an accurate price in the first place and we definitely don’t know whether the price would remain the same now that Valve has publicly addressed its delayed pricing reveal and need to address the price again. 

Advertisement

Advertisement

Essentially, we’ll simply have to just wait for Valve to determine the pricing strategy and reveal it to us.

Steam Frame release date rumours

When Valve originally unveiled the Steam Frame, the brand said we would expect the new launches in “early 2026”. However, since that initial announcement, there’s been speculation that the ongoing RAM price crisis would delay the hardware. While this was mostly internet rumours, Valve has recently confirmed it did indeed have to revisit its shipping strategy, alongside the price too. 

While Valve has stated that the “goal of shipping all three products [Steam Frame, Steam Machine and Steam Controller] in the first half of the year has not changed”, the brand says that it needs to try to land on concrete pricing and launch dates, although this is difficult as the circumstances surrounding both can change so quickly. 

Advertisement

We appreciate Valve providing this update, but for now it seems we’re no closer to knowing when we can expect the long awaited Steam hardware.

Steam Frame specs

Sure, both the release date and price for the Steam Frame are still at large, but Valve has unveiled all the specs for the upcoming VR headset. While Valve has been careful to caveat that some of the specifications are subject to change ahead of availability, the initial specs are undoubtedly exciting. 

First and foremost, the Steam Frame is a PC and runs SteamOS powered by the Snapdragon 8 Gen 3 mobile processor. That means it’s the first of its kind that can handle the entire Steam Library, allowing you to play both VR and non-VR games without needing to connect to your PC. 

Advertisement

Advertisement

Essentially, the headset uses a 6GHz wireless adapter for streaming and dual radios: one for audio and visual streaming and another for connecting to your Wi-Fi.

Plus, the Steam Frame comes equipped with dual controllers which are fitted with all the familiar inputs you need for non-VR games, such as the D-Pad, ABXY, thumbsticks and more. Speaking of the thumbsticks, they’re the same found in the upcoming Steam Controller and are magnetic for improved feel and responsiveness.

The Steam Frame also introduces Foveated Streaming which Valve explains that foveate streaming uses eye tracking data so that the PC only streams high resolution data in the area you’re looking at. As it’s a system-level feature, it applies to all games. The headset also uses eye tracking to ensure the best quality pixels are saved for only where you’re looking, which should theoretically help the Steam Frame run more efficiently too. Even so, it’s worth noting each panel is a 2160 x 2160 LCD too.

Technical specifications aside, the Steam Frame promises to be easy to use with no set-up required. Valve explains the Steam Frame is equipped with four high-res cameras that provide both controller and headset tracking, with infrared LEDs to track in dark environments too.

Advertisement

Advertisement

Finally, if you’re a glasses wearer then you might be wondering whether it’s possible to don the Steam Frame while wearing glasses. Valve has stated that your ability to comfortably wear glasses while the Steam Frame will depend on the width of the frames. However, Valve has teased that it’s “looking into making prescription lens inserts available ahead of launch”, although that’s all the information we have on that. 

Google Search can make information easy to find, but it can also make your personal data surface in ways that feel invasive or even dangerous. This is why Google is rolling out new tools that give people more control over what shows up about them online.

The company says it is expanding its Search removal features to make it simpler to take down sensitive personal information and explicit images that never should have been public in the first place.

How to remove personal information from Search

Google’s “Results about you hub” can now help you find and remove search results that contain sensitive government-issued identification numbers. This includes things like passport numbers, driver’s license numbers, and other official ID info that could be misused if they appear online.

To use this feature, you sign in to your Google account and select ‘Results about you,’ where you can fill out the information you want to track. Google will proactively scan Search for results that match your personal information and alert you if it finds something.

From there, you can review each result and request removal directly within the tool. You can also manually submit a removal request if you come across sensitive information yourself. Google says it will review these requests and remove results that violate its policies.

How to remove explicit images from Search

Google is also simplifying the process for removing explicit images, especially those shared without consent. You can now request the removal of explicit images more easily, including submitting multiple images at once rather than filing separate requests.

Once an image is removed, Google will also offer an option to proactively filter out similar explicit images from future Search results, to prevent similar content from resurfacing.

You can now track all your removal requests in one place through the Results about you hub, with email updates to keep you informed whenever the status changes.

Google also points out that removing information from Search does not erase it from the internet altogether, but it can still go a long way in protecting your privacy.

The update also comes as Google shuts down its dark web reports, which previously alerted users when their name, phone number, or email surfaced online in a data breach.

Google says those alerts did not always help people take meaningful action, something the new removal tools are designed to address.

Microsoft has released the Windows 10 KB5075912 extended security update to fix February 2026 Patch Tuesday vulnerabilities, including six zero-days, and continue rolling out replacements for expiring Secure Boot certificates.

If you are running Windows 10 Enterprise LTSC or are enrolled in the ESU program, you can install this update like normal by going into Settings, clicking on Windows Update, and manually performing a ‘Check for Updates.’

After installing this update, Windows 10 will be updated to build 19045.6937, and Windows 10 Enterprise LTSC 2021 will be updated to build 19044.6937.

What’s new in Windows 10 KB5075912

Microsoft is no longer releasing new features for Windows 10, and the KB5075912 update contains only security fixes and bug fixes introduced by previous security updates.

With today’s February 2026 Patch Tuesday, Microsoft has fixed 58 vulnerabilities, including six actively exploited zero-day flaws.

KB5075912 also fixes a known issue that prevented Windows 10 devices from shutting down or hibernating if System Guard Secure Launch is enabled.

The complete list of fixes is below:

• [Fonts] This update includes changes to Chinese fonts to meet GB18030-2022A compliance.
• [OS Security (known issue)] Fixed: After installing the Windows security update released on or after January 13, 2026, some Secure Launch-capable PCs with Virtual Secure Mode (VSM) enabled are unable to shut down or enter hibernation. Instead, the device restarts.
• [Folders] Fixed: This update fixes an issue that affects folder renaming with desktop.ini files in File Explorer. The LocalizedResourceName setting was ignored, so custom folder names did not show. Now, custom folder names appear as expected.
• [Graphics] Fixed: A stability issue affecting certain graphics processing units (GPUs) configurations.
• [Secure Boot] With this update, Windows quality updates include a broad set of targeting data that identifies devices and their ability to receive new Secure Boot certificates. Devices will receive the new certificates only after they show sufficient successful update signals, which helps ensure a safe and phased rollout.

Since June 2025, Microsoft has warned that multiple Windows Secure Boot certificates from 2011 are expiring in June 2026, and warned that if they are not updated, it would breach Secure Boot protections.

These certificates are used to validate Windows boot components, third-party bootloaders, and Secure Boot revocation updates, and if expired, could allow threat actors to bypass security protections.

As part of today’s update, Microsoft continues to roll out the new Secure Boot certificates to targeted systems, with updates to additional systems being installed as the targeting scope expands.

Microsoft states that there are no known issues with this update.

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide

A newly documented Linux botnet named SSHStalker is using the IRC (Internet Relay Chat) communication protocol for command-and-control (C2) operations.

The protocol was invented in 1988, and its adoption peaked during the 1990s, becoming the main text-based instant messaging solution for group and private communication.

Technical communities still appreciate it for its implementation simplicity, interoperability, low bandwidth requirements, and no need for a GUI.

The SSHStalker botnet relies on classic IRC mechanics such as multiple C-based bots and multi-server/channel redundancy instead of modern C2 frameworks, prioritizing resilience, scale, and low cost over stealth and technical novelty.

According to researchers at threat intelligence company Flare, this approach extends to other characteristics of SSHStalker’s operation, like using noisy SSH scans, one-minute cron jobs, and a large back-catalog of 15-year old CVEs.

“What we actually found was a loud, stitched-together botnet kit that mixes old-school IRC control, compiling binaries on hosts, mass SSH compromise, and cron-based persistence. In other words scale-first operation that favors reliability over stealth,” Flare says.

SSHStalker achieves initial access through automated SSH scanning and brute forcing, using a Go binary that masquerades as the popular open-source network discovery utility nmap.

Compromised hosts are then used to scan for additional SSH targets, which resembles a worm-like propagation mechanism for the botnet.

Flare found a file with results from nearly 7,000 bot scans, all from January, and focused mostly on cloud hosting providers in Oracle Cloud infrastructure.

Once SSHStalker infects a host, it downloads the GCC tool for compiling payloads on the victim device for better portability and evasion.

The first payloads are C-based IRC bots with hard-coded C2 servers and channels, which enroll the new victim in the botnet’s IRC infrastructure.

Next, the malware fetches archives named GS and bootbou, which contain bot variants for orchestration and execution sequencing.

Persistence is achieved via cron jobs that run every 60 seconds, invoking a watchdog-style update mechanism that checks whether the main bot process is running and relaunches it if it is terminated.

The botnet also contains exploits for 16 CVEs targeting Linux kernel versions from the 2009-2010 era. This is used to escalate privileges after the earlier brute-forcing step grants access to a low-privileged user.

Regarding monetization, Flare noticed that the botnet performs AWS key harvesting and website scanning. It also includes cryptomining kits such as the high-performance Ethereum miner PhoenixMiner.

Distributed denial-of-service (DDoS) capabilities are also present, though the researchers noted they have not yet observed any such attacks. In fact, SSHStalker’s bots currently just connect to the C2 and then enter an idle state, suggesting testing or access hoarding for now.

Flare has not attributed SSHStalker to a particular threat group, though it noted similarities with the Outlaw/Maxlas botnet ecosystem and various Romanian indicators.

The threat intelligence company suggests placing monitoring solutions for compiler installation and execution on production servers, and alerts for IRC-style outbound connections. Cron jobs with short execution cycles from unusual paths are also big red flags.

Mitigation recommendations include disabling SSH password authentication, removing compilers from production images, enforcing egress filtering, and restricting execution from ‘/dev/shm.’

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide