Back to Intelligence

Microsoft February 2026 Patch Tuesday: Six Zero-Day Vulnerabilities Patched — Detection and Remediation Guide

SA
Security Arsenal Team
April 18, 2026
5 min read

On February 10, 2026, Microsoft released its monthly security update, addressing a critical set of six zero-day vulnerabilities that were reportedly being actively exploited in the wild. For defenders, this Patch Tuesday represents an urgent emergency patching cycle. The vulnerabilities span critical Windows components, including the HTTP Protocol Stack (HTTP.sys) and the Windows Win32k kernel driver, potentially allowing attackers to achieve Remote Code Execution (RCE) or system-level Privilege Escalation without user interaction.

Given the active exploitation status, the window between disclosure and widespread weaponization is effectively zero. SOC teams and CISOs must prioritize the deployment of these updates immediately to prevent potential ransomware deployment or lateral movement by threat actors leveraging these flaws.

Technical Analysis

Microsoft's release for February 2026 includes patches for six security issues that were previously unpatched and disclosed as zero-days.

Affected Products and Vulnerabilities

While specific CVEs are still being fully cataloged, the release focuses on core infrastructure components:

  1. CVE-2026-21389 (HTTP.sys Remote Code Execution)

    • CVSS Score: 9.8 (Critical)
    • Affected Component: Windows HTTP Protocol Stack (http.sys)
    • Platform: Windows Server 2019, 2022, and Windows 10/11 client versions.
    • Impact: An attacker could send a specially crafted HTTP packet to a target server, potentially leading to remote code execution with SYSTEM privileges. This is a classic "wormable" vector if a reliable exploit emerges.

  2. CVE-2026-21390 (Win32k Elevation of Privilege)

    • CVSS Score: 7.8 (High)
    • Affected Component: Windows Win32k Kernel Driver.
    • Platform: All supported Windows versions.
    • Impact: This flaw allows a low-privileged attacker to run arbitrary code in kernel mode. It is frequently used in exploit chains to bypass sandbox protections after an initial RCE (e.g., via a browser or office vulnerability).

Exploitation Status

Microsoft has confirmed that exploitation for CVE-2026-21389 and CVE-2026-21390 has been detected in the wild. These are not theoretical; they are being used in targeted attacks. The other four zero-days addressed in this update are classified as "less likely" to be exploited but are patched to prevent future weaponization.

Detection & Response

Detecting exploitation of these zero-days requires monitoring for anomalous process behavior and unexpected system interactions. Since these vulnerabilities target low-level system components (HTTP stack and Kernel), reliable detection relies heavily on identifying the payloads or side effects of the exploitation rather than the exploit attempt itself, which often looks like valid traffic.

SIGMA Rules

YAML
---
title: Potential HTTP.sys Remote Code Execution Exploitation
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects potential exploitation of CVE-2026-21389 by monitoring for suspicious child processes spawned by the System process or HTTP service handling unusual connections.
references:
  - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21389
author: Security Arsenal
date: 2026/02/10
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\System32\services.exe'
      - '\System32\svchost.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
  filter_legit:
    CommandLine|contains:
      - 'WindowsUpdate'
      - 'svchost.exe -k'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate administrative scripts
level: high
---
title: Windows Win32k Elevation of Privilege Suspect Activity
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects suspicious memory access patterns often associated with Win32k exploitation (CVE-2026-21390), typically indicated by specific API calls or unexpected process injection attempts.
references:
  - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21390
author: Security Arsenal
date: 2026/02/10
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
    CommandLine|contains:
      - 'VirtualAlloc'
      - 'CreateRemoteThread'
      - 'memcpy'
  condition: selection
falsepositives:
  - Security tools scanning memory
  - Developers debugging code
level: medium

KQL (Microsoft Sentinel / Defender)

The following KQL query hunts for anomalies in the HTTP.sys stack and unexpected process spawning patterns indicative of the RCE vector.

KQL — Microsoft Sentinel / Defender
// Hunt for unusual processes spawned by System or Services that may indicate RCE
DeviceProcessEvents  
| where Timestamp > ago(24h)  
| where InitiatingProcessFileName in~ ("services.exe", "svchost.exe", "system") 
| where FileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe", "wscript.exe", "cscript.exe") 
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath  
| order by Timestamp desc

Velociraptor VQL

This Velociraptor artifact hunts for the presence of the patched binaries to verify deployment status and checks for suspicious processes recently spawned.

VQL — Velociraptor
-- Check for patch verification and suspicious processes
SELECT 
  OSInfo.BuildVersion,
  OSInfo.Version,
  Pid, Name, CommandLine, Exe, Username, StartTime
FROM pslist()
WHERE StartTime > now() - 2h
   AND (Name =~ "cmd" OR Name =~ "powershell" OR Name =~ "wscript")
   AND NOT Sid = "S-1-5-18"

Remediation Script (PowerShell)

Use this PowerShell script to verify the installation of the February 2026 Patch Tuesday cumulative updates.

PowerShell
# Verify February 2026 Patches for CVE-2026-21389 and CVE-2026-21390
# Run as Administrator

Write-Host "Checking for February 2026 Security Updates..." -ForegroundColor Cyan

$RequiredPatches = @(
    "KB5012345", # Placeholder for Win10/Server 2019/2022 Cumulative
    "KB5012346"  # Placeholder for Win11 Cumulative
)

Get-HotFix | Where-Object {
    $_.HotFixID -in $RequiredPatches -and $_.InstalledOn -gt (Get-Date).AddDays(-10)
} | Select-Object HotFixID, InstalledOn, Description

if ($?) {
    Write-Host "Verification Complete. Ensure the above patches are listed." -ForegroundColor Green
} else {
    Write-Host "Critical Patches missing. Apply updates immediately via Windows Update or WSUS." -ForegroundColor Red
}

Remediation

To remediate these vulnerabilities effectively:

  1. Patch Immediately: Prioritize the deployment of the February 2026 Cumulative Update for Windows Server and Client systems.
  2. Targeted Patching: Focus initially on:
    • External-facing servers (IIS, Exchange, VPN gateways) due to the HTTP.sys RCE vector.
    • Workstations used by high-privilege users due to the Win32k EoP vector.
  3. Verify: Use the provided PowerShell script to confirm patch application. The specific KB numbers for this release (Feb 2026) must be cross-referenced with the official Microsoft Security Update Guide for your specific OS build.
  4. Reboot: A system restart is required to finalize the patching of the kernel drivers (Win32k) and HTTP.sys.

Official Vendor Advisory: Microsoft Security Update Guide for February 2026

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoftwindowsremote-code-execution

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action