Bulletin — February 2026

February 2026 is the month of hard anniversaries. On 2 February Art. 5 of the AI Act turns one year applicable — dedicated analysis in its post. On 21 February the ByBit hack turns one — dedicated analysis in its post. The rest of the month carries editorial weight: India hosts the first global AI summit of the year, Microsoft closes Patch Tuesday with six zero-days, CrowdStrike publishes GTR 2026 with headlines about 29-minute breakout time, DORA kicks off the active inspection cycle after the 2025 grace period.

AI Act Art. 5 — first anniversary

2 February. The applicability of the eight prohibitions of Art. 5 of Regulation (EU) 2024/1689 turns one. The year-end balance in one line: silent compliance via feature withdrawal under contractual pressure, with no public Art. 5 sanction published by any national authority. AESIA closes 2025 with 16 guides of practical scope and no published individual inspections. CNIL takes explicit jurisdiction over emotion recognition in the workplace and positions itself as the authority most likely to produce the first sanctioning decision in H1 2026.

Clearview AI still doesn’t operate in the EU market, but doesn’t pay the accumulated GDPR fines either; NOYB files a criminal complaint against the company in October 2025, partially supported on AI Act Art. 5(1)(e). The paper tiger keeps watching itself.

Full read: EU AI Act — one year of Art. 5: what’s been withdrawn, what’s still being sold.

India AI Impact Summit — Delhi replaces Paris

16-20 February, Bharat Mandapam, New Delhi. The Bletchley (UK, 2023) → Seoul (2024) → Paris (2025) sequence reaches Delhi as India AI Impact Summit 2026, the first global AI summit hosted in the Global South. Five days, around 600,000 in-person attendees, more than 100 countries represented, 20 international organisations.

Three structural sutras: People, Planet, Progress. Seven thematic groups: AI for economic growth and social good, democratising AI resources, inclusion for social empowerment, safe and trusted AI, human capital, science, resilience.

The Declaration of New Delhi on AI is signed on 18 February by 92 countries and international organisations. Technical read: the text remains as aspirational as Bletchley’s and Paris’s — affirms commitment, emphasizes the importance, calls for cooperation. The concrete line that’s moved in a year is the signing of the AI Office’s Code of Practice for GPAI by 26 providers (including OpenAI, Anthropic, Google, Mistral; without Meta) — that one is binding. The Delhi Declaration isn’t.

For 2026 the summit cycle continues: the next one is announced on European territory in H2 2026 without a confirmed date at month-end.

Source: https://impact.indiaai.gov.in/

vLLM CVE-2026-22778 — pre-auth RCE via video

2 February. Orca Security publishes CVE-2026-22778 in vLLM, the most widely deployed LLM inference server in production. CVSS 9.8, pre-auth RCE by passing a crafted video URL to the multimodal endpoint. The chain lives inside OpenCV’s JPEG2000 decoder (which vLLM uses through its FFmpeg dependency): first an info leak via a PIL exception reveals a BytesIO heap address (reducing ASLR effectiveness from 4·10⁹ to ~8 attempts), then a chained heap overflow gives flow control.

The patch lands in vLLM 0.14.1 and combines two fixes: input validation before the decoder, and blocking the path that returns the address in the exception message. Orca and OX Security estimate millions of vLLM inference servers exposed at the end of January — most operated by platform teams without OS-style update cadence.

The pattern is the one of the year: AI inference server = HTTP server with multimodal surface. What used to be “serve a model” today is serving a binary that pulls in FFmpeg, OpenCV, Pillow and half a dozen native codecs. The threat model inherited from the vllm[image,video] chain wasn’t mirrored in the operator’s security posture.

Source: https://orca.security/resources/blog/cve-2026-22778-vllm-rce-vulnerability/ · https://www.ox.security/blog/cve-2026-22778-vllm-rce-vulnerability/

ByBit — first anniversary, 3.54% recovered

21 February. First anniversary of the ByBit hack. LazarusBounty scoreboard: 3.54% frozen, 88.87% traceable but unfrozen, 7.59% dark. The comparison with WazirX (~85% returned via legal restructuring, not on-chain recovery) confirms that funds stolen by Lazarus at this scale don’t come back.

What did change in 12 months: Safe launches Guardrail in August 2025, blocking DELEGATECALL outside the allowlist; Pectra reaches mainnet in May 2025 with EIP-7702 enabling constrained session keys; the Ethereum Foundation takes stewardship of ERC-7730 from Ledger, dragging Trezor / MetaMask / WalletConnect into an open clear-signing standard.

Full read: ByBit, one year on: clear signing, Guardrail and EIP-7702.

Patch Tuesday February — 54 CVEs, 6 zero-days

10 February. Microsoft closes 54 CVEs according to Tenable (CrowdStrike and other vendors count 59 depending on methodology). Critical: 2. Important: 51. Six zero-days confirmed with in-the-wild exploitation:

• CVE-2026-21513 — MSHTML Framework, security feature bypass. CVSS 8.8. Publicly disclosed before the patch. Allows SmartScreen bypass via malformed HTML or crafted .lnk. Classic drive-by + LOLBin vector.
• CVE-2026-21510 — Windows Shell, security feature bypass. CVSS 8.8. Publicly disclosed. A single click on a malicious link executes content with no warning dialog.
• CVE-2026-21514 — Microsoft Word, security feature bypass. CVSS 7.8. Publicly disclosed. Opening a crafted Office document.
• CVE-2026-21533 — Windows Remote Desktop Services, EoP. CVSS 7.8. Local authenticated → SYSTEM. Reported as actively exploited.
• CVE-2026-21519 — Desktop Window Manager, EoP. CVSS 7.8. Local authenticated → SYSTEM. Exploited in the wild.
• CVE-2026-21525 — Windows Remote Access Connection Manager, DoS. CVSS 6.2. Limited exploitation details; affects corporate VPN connectivity.

A critical with high CVSS worth attention even without in-the-wild exploitation:

• CVE-2026-24300 — Azure Front Door, EoP. CVSS 9.8. Improper access control, no user interaction. Microsoft applies the patch in the Azure backend (no customer action required), but auditing Azure AD and Front Door logs for anomalous activity in the pre-patch window is SRE work.

Pattern of the month: bypassing Windows’s own security features (SmartScreen, Office Protected View, MSHTML) is the most fertile exploitation line for actors with 0-day access. Classic combo: drive-by → protection bypass → execution in user context → EoP to SYSTEM via one of the three kernel/RDP/DWM EoPs.

Source: https://msrc.microsoft.com/update-guide/releaseNote/2026-Feb · https://www.tenable.com/blog/microsofts-february-2026-patch-tuesday-addresses-54-cves-cve-2026-21510-cve-2026-21513 · https://krebsonsecurity.com/2026/02/patch-tuesday-february-2026-edition/

CrowdStrike Global Threat Report 2026 — breakout time at 29 minutes

24 February. CrowdStrike publishes the 2026 Global Threat Report. Three headlines worth noting:

• eCrime average breakout time drops to 29 minutes in 2025, with the record observed at 27 seconds. In 2024 it was 62 minutes. The yearly curve: actors with initial access bought in grey markets escalate to lateral movement before the average SOC closes the detection ticket. If the SOC’s mean time to detect exceeds 30 minutes for a priority alert, the attack is already lateral by the time the analyst opens it.
• AI-enabled adversaries +89% YoY. Documented operations using commercial or open-weights models for reconnaissance, credential theft, evasion. The Anthropic report from November 2025 that CrowdStrike co-signs as context. Additionally, prompt injection against GenAI tools deployed in >90 organisations during 2025.
• 42% of exploited vulnerabilities used before public disclosure (zero-day from the defender’s perspective). Cloud-conscious intrusions +37% YoY, with state-nexus going up +266% in cloud targeting for intelligence collection.

The PRESSURE CHOLLIMA $1.46B that the report cites is CrowdStrike’s attribution for the cluster that executed ByBit — an alias for TraderTraitor / Lazarus. The figure matches within a few million the FBI’s documented loss ($1.5B).

Editorial read: the evasive adversary is the framing of the year. What was “ransomware as an industry” in 2024 is “business email compromise + cloud + AI” in 2026. The missing public piece of the puzzle is Mandiant.

Source: https://www.crowdstrike.com/en-us/press-releases/2026-crowdstrike-global-threat-report/

Mandiant — M-Trends 2026 promo, April publication

End of February. Mandiant opens promotion of the M-Trends 2026 Report — effective publication date of the full report in April 2026, not February. What’s available now: a preview and the figure the sectoral press repeats at the end of February — 22 seconds median between initial access and hand-off to a secondary group, against 8 hours in 2022.

The read: the initial access broker market is now a real-time market, with automation between the initial broker and the operator who monetises (ransomware, espionage, BEC). Traditional dwell time loses meaning as a primary metric when the attacker factors the kill chain into steps bought separately.

Confirmation: exploitation of internet-facing systems is the most common initial infection vector for the sixth consecutive year, 32% of cases where Mandiant identifies the entry point. North Korean insider threats (operatives with fabricated identities employed as remote workers in Western tech) persist as a documented category.

Verizon DBIR 2026 doesn’t come out in February (the typical edition lands in April-May). For a consolidated yearly summary, wait until Q2 2026.

Source: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/

DORA — active enforcement after the grace period

February 2026. 13 months on from DORA’s applicability (17 January 2025, covered in its post). National competent authorities kick off the effective supervision phase, according to sector trackers. The informal 2025 grace period ends. The regime applies the first compulsion payments to entities with incomplete compliance reporting.

What this means operationally:

• On-site compliance reviews start in Q1 2026 against systemic entities that began their first TLPT cycle in January 2025. Banco de España, CNMV, DGSFP in Spain. ACPR + AMF in France. BaFin in Germany.
• Critical ICT provider designation — the ESAs publish during the first half the official list of providers designated as critical under DORA Art. 31. Main hyperscalers (AWS, Azure, GCP), sectoral SaaS providers and core banking platforms are expected.
• First sanctions against laggard entities in H1 2026 according to trackers like regulation-dora.eu. No public individual sanction confirmed at February close.
• DORA ↔ NIS2 ↔ ENS coordination in Spain. NIS2 transposed in H2 2025; the dual regime for Spanish financial entities in ENS sectors creates overlap of obligations that’s being handled via a joint INCIBE-CERT + Banco de España circular, expected Q1 2026.

Source: https://www.regulation-dora.eu/blog/dora-2026-enforcement-what-changes

CISA KEV — three updates in February

3, 13 and 17 February. CISA adds vulnerabilities to the Known Exploited Vulnerabilities catalog in three batches with evidence of in-the-wild exploitation:

• 3 Feb: 4 CVEs added (various products).
• 13 Feb: CVE-2026-1731 — BeyondTrust Remote Support / Privileged Remote Access OS Command Injection. Continuation of the BeyondTrust file that started in December 2024 with the US Treasury case. Pivotal for teams still running BeyondTrust RS / PRA in production.
• 17 Feb: 4 additional CVEs including:
  • CVE-2026-2441 — Google Chromium CSS Use-After-Free, browser-typical vector to escalate from drive-by to sandbox escape.
  • CVE-2024-7694 — TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File. A security product turning into a vector — pattern seen with Sophos / SonicWall / Fortinet in previous years.
  • CVE-2020-7796 — Synacor Zimbra Collaboration Suite SSRF (resurrection of a 5-year-old vulnerability with recent exploitation evidence).
  • CVE-2008-0015 — Microsoft Windows Video ActiveX Control RCE (18-year-old resurrection, IoC specific to a recent campaign).

The two resurrections (Zimbra and ActiveX) are the ones worth tracking: an attacker is using old vulnerabilities on exposed legacy systems, which confirms that the living off the legacy pattern stays profitable when there are unpatched assets out there.

Source: https://www.cisa.gov/news-events/alerts/2026/02/17/cisa-adds-four-known-exploited-vulnerabilities-catalog · https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Rest of the month

• Replika sanction reaffirmed in Italy (5 Feb). Garante reaffirms the ban on Replika (Luka Inc.) for GDPR non-compliance with a chatbot directed at minors. The reasoning incidentally touches AI Act Art. 5(1)(b) — exploitation of age-based vulnerability — although the formal basis is GDPR. Source: https://www.edpb.europa.eu/news/national-news/2025/ai-italian-supervisory-authority-fines-company-behind-chatbot-replika_en
• Pectra mainnet anniversary forward-looking. Pectra hits eight months in February (entered 7 May 2025). The Safe Foundation publishes a roadmap for existing deployments to accept EIP-7702 delegation through Q2-Q3 2026.
• Operation Endgame, 2026 round. Europol coordinates with FBI, NCA and BfV on a new round of takedowns against loaders and RATs. Operational details remain embargoed at month-end.
• AI Action Summit follow-up — no Paris 2026. The summit sequence continues toward India in February (covered above). No European summit in H1 2026.

Closing

Cross-cutting pattern of the month: anniversaries consolidate, they don’t reset. AI Act Art. 5 turns one with no public sanction but with sotto voce compliance via contracts; ByBit turns one with 96% of funds unrecovered but with three new defensive pieces (Guardrail, EIP-7702, official ERC-7730); DORA hits 13 months moving from grace period to active enforcement. The second year of each milestone is where the practice is shaped, not where the regime starts.

For March: 10th’s Patch Tuesday, Pwn2Own Vancouver (15-17 per tentative calendar, to confirm), AI Act Annex III at five months out, NVIDIA GTC.