Microsoft has released the February 2026 updates with 59 security updates to patch various vulnerabilities, including a high-severity Notepad app flaw and an Azure SDK vulnerability with a base score of 9.8. The updates also address lower-score bugs that can cause crashes or data loss on mobile devices.
February 2026 Microsoft Security Updates
The February 2026 Microsoft security updates patch 59 CVEs ranging from a high‑severity Notepad app flaw (CVSS 8.8) to less critical Edge for Android bugs. This guide shows exactly what needs to be installed, why skipping certain patches can bite you later, and the fastest way to get everything up to date without turning your PC into a brick.
Why these patches matter
Most of the February batch target core Windows components—Win32K graphics, HTTP.sys, the kernel, and the Azure SDK. The Azure SDK CVE 2026‑21531 tops the chart with a 9.8 base score; an attacker who can trigger it could run arbitrary code on any machine that talks to Azure services. In the desktop world, the Notepad app flaw (CVE‑2026‑20841) lets a specially crafted file execute code with full user rights, something you’ll see exploited in phishing campaigns within weeks of release. A few lower‑score bugs—like the Edge for Android issue (CVSS 6.5)—are less likely to be weaponized but still worth installing because they can cause crashes or data loss on mobile devices.
Quick way to get them installed
The simplest path is the built‑in Windows Update client. Open Settings => Update & Security => Windows Update, click “Check for updates,” and let the service pull down every applicable KB. The update catalog will automatically bundle related patches; for example, the kernel fixes (CVE‑2026‑21222, 21231, 21239) arrive together in a single package labeled KB 5027230. After the download finishes, Windows will prompt a restart—do it promptly to avoid leaving the system in a half‑patched state.
If you prefer to control exactly which patches land on your machine, use Microsoft’s Update Catalog website. Search for “2026‑02” and filter by the KB numbers that correspond to the most critical CVEs (the Notepad app fix is KB 5027245; the Azure SDK patch is KB 5027270). Download the .msu files and run them manually; each installer will display a short description of the vulnerability it addresses, confirming you’re applying the right thing.
Dealing with the nasty ones
One tech who refreshed a fleet of laptops after the February rollout reported that a machine with an older graphics driver crashed repeatedly after installing the GDI+ update (CVE‑2026‑20846). The root cause was a driver incompatibility, not the patch itself. The fix was to roll back the graphics driver to the vendor’s latest release before re‑applying the Windows update. In practice, always verify that your hardware drivers are current—run Device Manager, right‑click each device, and choose “Update driver” from Microsoft’s online source before hitting Windows Update.
For Azure‑related components (Azure Compute Gallery, Front Door, Arc), many organizations run those services on VMs that can’t be rebooted during business hours. In such cases, schedule a maintenance window and apply the patches via PowerShell: Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot. The cmdlet will pull only Microsoft‑signed updates, so you won’t accidentally grab third‑party drivers.
When you can safely defer
Not every entry in the February list is mission‑critical for a typical workstation. The Edge for Android CVE (CVE‑2026‑0391) and the Chrome‑based Edge bug (CVE‑2026‑1861) have “Exploitation Less Likely” ratings and no known active exploits, so they can be postponed if you’re on a metered connection or need to keep your mobile device stable for the day. However, deferment should never become a habit; each month’s batch builds on the previous one, and skipping now means a larger update pile later.
Security Update Guide - Microsoft Security Response Center
This release consists of the following 59 Microsoft CVEs:
Tag CVE Base Score Windows Win32K - GRFX CVE-2023-2804 6.5 Microsoft Edge for Android CVE-2026-0391 6.5 Windows Notepad App CVE-2026-20841 8.8 Windows GDI+ CVE-2026-20846 7.5 .NET and Visual Studio CVE-2026-21218 7.5 Windows Kernel CVE-2026-21222 5.5 Azure Local CVE-2026-21228 8.1 Power BI CVE-2026-21229 8.0 Windows Kernel CVE-2026-21231 7.8 Windows HTTP.sys CVE-2026-21232 7.8 Windows Connected Devices Platform Service CVE-2026-21234 7.0 Microsoft Graphics Component CVE-2026-21235 7.3 Windows Ancillary Function Driver for WinSock CVE-2026-21236 7.8 Windows Subsystem for Linux CVE-2026-21237 7.0 Windows Ancillary Function Driver for WinSock CVE-2026-21238 7.8 Windows Kernel CVE-2026-21239 7.8 Windows HTTP.sys CVE-2026-21240 7.8 Windows Ancillary Function Driver for WinSock CVE-2026-21241 7.0 Windows Subsystem for Linux CVE-2026-21242 7.0 Windows LDAP - Lightweight Directory Access Protocol CVE-2026-21243 7.5 Role: Windows Hyper-V CVE-2026-21244 7.3 Windows Kernel CVE-2026-21245 7.8 Microsoft Graphics Component CVE-2026-21246 7.8 Role: Windows Hyper-V CVE-2026-21247 7.3 Role: Windows Hyper-V CVE-2026-21248 7.3 Windows NTLM CVE-2026-21249 3.3 Windows HTTP.sys CVE-2026-21250 7.8 Windows Cluster Client Failover CVE-2026-21251 7.8 Mailslot File System CVE-2026-21253 7.0 Role: Windows Hyper-V CVE-2026-21255 8.8 GitHub Copilot and Visual Studio CVE-2026-21256 8.8 GitHub Copilot and Visual Studio CVE-2026-21257 8.0 Microsoft Office Excel CVE-2026-21258 5.5 Microsoft Office Excel CVE-2026-21259 7.8 Microsoft Office Word CVE-2026-21260 7.5 Microsoft Office Excel CVE-2026-21261 5.5 Windows Storage CVE-2026-21508 7.0 Windows Shell CVE-2026-21510 8.8 Microsoft Office Outlook CVE-2026-21511 7.5 Azure DevOps Server CVE-2026-21512 6.5 Internet Explorer CVE-2026-21513 8.8 Microsoft Office Word CVE-2026-21514 7.8 Github Copilot CVE-2026-21516 8.8 Windows App for Mac CVE-2026-21517 7.0 .NET CVE-2026-21518 6.5 Desktop Window Manager CVE-2026-21519 7.8 Azure Compute Gallery CVE-2026-21522 6.7 GitHub Copilot and Visual Studio CVE-2026-21523 8.0 Windows Remote Access Connection Manager CVE-2026-21525 6.2 Microsoft Exchange Server CVE-2026-21527 6.5 Azure IoT SDK CVE-2026-21528 6.5 Azure HDInsights CVE-2026-21529 5.7 Azure SDK CVE-2026-21531 9.8 Azure Function CVE-2026-21532 8.2 Windows Remote Desktop CVE-2026-21533 7.8 Microsoft Defender for Linux CVE-2026-21537 8.8 Azure Compute Gallery CVE-2026-23655 6.5 Azure Front Door (AFD) CVE-2026-24300 9.8 Azure Arc CVE-2026-24302 8.6
