February 2026 Security Update: In-Depth Review
February 2026 brought significant security updates from Adobe and Microsoft, addressing a range of vulnerabilities across multiple software products. Here’s a detailed look at these updates.
February 2026 Security Update: Key Facts and Events
Adobe’s Security Patches
Adobe issued nine bulletins this month, tackling a total of 44 unique Common Vulnerabilities and Exposures (CVEs). The affected products include:
- Adobe Audition
- After Effects
- InDesign
- Substance 3D Designer
- Substance 3D Stager
- Adobe Bridge
- Substance 3D Modeler
- Lightroom Classic
- Adobe DNG Software Development Kit (SDK)
The most substantial update was for After Effects, which resolved 15 bugs—13 classified as Critical and two as Important. The Substance 3D Designer also had notable fixes, addressing seven issues, with two rated as Critical. Other highlights include:
- Substance 3D Stager: Fixed five Critical bugs susceptible to code execution.
- Audition: Resolved six bugs; one classified as Critical.
- Adobe DNG SDK: Fixed two Critical and two Important bugs.
- InDesign: Fixed three bugs; one categorized as Critical.
- Adobe Bridge: Fixed two Critical bugs with potential code execution risks.
- Lightroom Classic: Addressed one Critical bug.
- Substance 3D Modeler: Resolved one Important memory link issue.
No bugs addressed in these patches are reported as publicly known or currently being exploited, and all updates carry a deployment priority of 3.
Microsoft’s Security Updates
Microsoft released 58 new CVEs affecting various components like Windows, Office, and Azure. The overall count increased to 62 when including third-party and Chromium updates. Key details include:
- Five vulnerabilities rated as Critical, while two were Moderate and the remainder Important.
- Six actively exploited vulnerabilities were noted, with three categorized as publicly known.
Among the significant vulnerabilities, the following stood out:
- CVE-2026-21510: A security feature bypass in Windows Shell that allows code execution if a user interacts.
- CVE-2026-21514: A similar bypass vulnerability in Microsoft Word, requiring user interaction to exploit.
- CVE-2026-21519: This desktop window manager vulnerability permits attackers to run code with SYSTEM privileges.
- CVE-2026-21533: A local privilege escalation vulnerability concerning Remote Desktop Services.
- CVE-2026-21513: A feature bypass in Internet Explorer, still posing risks on Windows systems.
- CVE-2026-21525: A denial of service vulnerability in the Windows Remote Access Connection Manager.
These updates highlight the ongoing need for vigilance in securing software systems against evolving threats.
