CVE-2026-21533
Remote Desktop Services -- elevation of privilege zero-day, part of six zero-days in February 2026
Exploited in the Wild
Actively exploited zero-day. Patched February 2026.
Summary
| Field | Value |
|---|---|
| Driver | Remote Desktop Services (kernel component) |
| Vulnerability Class | Elevation of Privilege |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | February 11, 2026 |
Context
CVE-2026-21533 was one of six zero-days patched in the February 2026 Patch Tuesday cycle. Remote Desktop Services (RDS) is the platform underlying Remote Desktop Protocol (RDP), Windows Terminal Services, and remote application publishing. The kernel component of RDS handles session management, virtual channel processing, and display remoting.
RDS zero-days are particularly concerning in enterprise environments where RDP is widely deployed for remote administration. A local privilege escalation in the RDS kernel component can be chained with an initial RDP session (obtained through compromised credentials or a separate RDP vulnerability) to achieve SYSTEM on the target host.
This is the first RDS vulnerability in the KernelSight corpus, establishing a new kernel attack surface category. The ITW exploitation suggests that threat actors have identified RDS kernel components as viable targets.
Root Cause
Microsoft's advisory confirms a privilege escalation without disclosing the specific mechanism. The RDS kernel component handles session isolation, virtual channel data processing, and display driver interactions. Each of these involves complex state management across multiple sessions and processes. Potential root causes include object lifetime errors in session teardown, race conditions in virtual channel processing, or insufficient validation of data structures passed through the RDS protocol stack.
Exploitation
A local attacker reaches SYSTEM through the Remote Desktop Services kernel component. The ITW exploitation details have not been publicly disclosed. Based on the component, the attacker likely exploits a bug in session management or virtual channel processing that is reachable from a standard RDP session.
Exploitation Primitive
RDS kernel component flaw --> privilege escalation --> SYSTEM
Broader Significance
The appearance of an RDS zero-day in a batch of six simultaneously exploited vulnerabilities suggests coordinated exploitation by a well-resourced threat actor. RDS is a high-value target because RDP is one of the most commonly exposed services in enterprise networks, and any EoP that chains with RDP access converts a limited-privilege remote session into full SYSTEM control. Defenders should note that RDS kernel components now join the list of actively exploited Windows kernel attack surfaces.