Sources: Krebs on Security · BleepingComputer · Cisco Talos
Reference: Microsoft Security Update Guide, March 2026
Target audience: Windows administrators, SOC teams, CERT/CSIRT, patch management leads
Overview
On March 10, 2026, Microsoft released its monthly Patch Tuesday security updates, addressing 79 vulnerabilities across Windows, Office, SQL Server, Azure, and several third-party components. Three vulnerabilities are classified as Critical; the remainder are rated Important.
Vulnerability breakdown by category:
- 46 Elevation of Privilege (EoP)
- 18 Remote Code Execution (RCE)
- 10 Information Disclosure
- 4 Denial of Service (DoS)
- 4 Spoofing
- 2 Security Feature Bypass
This count does not include the 9 Microsoft Edge patches released separately, nor the Azure, Mariner, or Microsoft Devices Pricing Program fixes published earlier in the month.
Two Publicly Disclosed Zero-Days
No actively exploited zero-days are reported this month, a notable contrast to February 2026’s five zero-day disclosures. However, two vulnerabilities were publicly known before patches were made available.
CVE-2026-21262: SQL Server Elevation of Privilege (CVSS 8.8)
This vulnerability stems from improper access control in SQL Server. An authenticated attacker can elevate privileges to sysadmin level over the network. It affects SQL Server 2016 and later editions.
Rapid7’s Adam Barnett notes that the CVSS score of 8.8 falls just below the Critical threshold only because low-level privileges are required as a prerequisite. The potential impact remains high and justifies priority patching.
The vulnerability was originally disclosed in the article Packaging Permissions in Stored Procedures by Erland Sommarskog, credited as the discoverer.
CVE-2026-26127: .NET Denial of Service
An out-of-bounds read in .NET allows an unauthenticated attacker to trigger a denial of service over the network. The immediate impact is likely limited to a crash, with potential for broader exploitation during a service restart. Attributed to an anonymous researcher.
Critical Vulnerabilities
Microsoft Office RCE via the Preview Pane
CVE-2026-26113 (type confusion) and CVE-2026-26110 (untrusted pointer dereference) are two Critical-rated Remote Code Execution vulnerabilities in Microsoft Office. Both can be triggered by simply viewing a malicious message in the Preview Pane, requiring no additional user interaction.
These two CVEs represent the most urgent patching priority of this cycle for environments running Outlook or any client exposing the Office Preview Pane.
CVE-2026-26144: Microsoft Excel Information Disclosure via Copilot (Critical)
This vulnerability results from improper input neutralization in Excel. It could allow an attacker to force Copilot Agent Mode to exfiltrate data via unintended network egress, achieving a zero-click information disclosure attack. Microsoft rates exploitation as “unlikely,” but its vector through integrated generative AI deserves specific attention in Microsoft 365 Copilot environments.
“Exploitation More Likely” Vulnerabilities to Prioritize
Cisco Talos and Tenable flag six additional vulnerabilities rated Important by Microsoft but assessed as “more likely” to be exploited:
| CVE | Component | Impact |
|---|---|---|
| CVE-2026-23668 | Windows Graphics Component | EoP |
| CVE-2026-24291 | Windows Accessibility Infrastructure (ATBroker.exe) | EoP, SYSTEM (CVSS 7.8) |
| CVE-2026-24294 | Windows SMB Server | EoP, SYSTEM (CVSS 7.8) |
| CVE-2026-24289 | Windows Kernel | EoP, memory corruption (CVSS 7.8) |
| CVE-2026-25176 | Ancillary Function Driver for WinSock | EoP |
| CVE-2026-25187 | Winlogon | EoP, discovered by Google Project Zero (CVSS 7.8) |
These vulnerabilities target core Windows components. Prioritization is recommended even in the absence of confirmed in-the-wild exploitation.
Notable: First CVE Officially Credited to an AI Agent
CVE-2026-21536 affects the Microsoft Devices Pricing Program component and carries a CVSS score of 9.8 (Critical). What makes this CVE notable: it was discovered by XBOW, a fully autonomous AI-powered penetration testing agent.
XBOW has consistently ranked at or near the top of the HackerOne bug bounty leaderboard for over a year. Microsoft resolved the issue server-side, requiring no action from end users.
Immersive Labs’ Ben McCarthy notes that this CVE demonstrates AI agents’ ability to identify critical vulnerabilities without access to source code, marking the formal entry of AI-assisted vulnerability research into the official CVE attribution process.
Additional Notable Vulnerabilities
Azure MCP Server (CVE-2026-26118, CVSS 8.8): A Server-Side Request Forgery vulnerability allowing an attacker to submit a malicious URL to an MCP Server tool. The server then sends an outbound request to that URL, potentially including its managed identity token. The attacker captures this token and obtains the permissions associated with the compromised identity, without gaining broader tenant-level or administrator access.
Windows SMB Server (CVE-2026-26128): Improper authentication enabling privilege escalation to SYSTEM over the network.
SharePoint Server (CVE-2026-26106 and CVE-2026-26114): Two RCE vulnerabilities exploitable by an authenticated attacker holding at least Site Member permissions.
Microsoft Authenticator (CVE-2026-26123): Information disclosure vulnerability, worth monitoring in MFA-dependent environments.
Other Vendors Who Released March 2026 Updates
- Adobe: Patches for Acrobat, Adobe Commerce, Illustrator, Substance 3D Painter, Premiere Pro. No exploitation reported.
- Mozilla: Firefox 148.0.2 resolves three high-severity CVEs.
- Cisco: Security updates for numerous products.
- Fortinet: Patches for FortiOS, FortiPAM, and FortiProxy.
- Google: Android March 2026 bulletin includes an actively exploited zero-day in a Qualcomm display component.
- SAP: March 2026 updates include two critical vulnerabilities.
- HPE: Fixes for HPE Aruba Networking AOS-CX.
Microsoft also released an out-of-band emergency update on March 2, 2026 for Windows Server 2022, addressing a certificate renewal issue in Windows Hello for Business passwordless authentication.
Additional Resources
| Source | URL |
|---|---|
| SANS ISC Patch Tuesday | https://isc.sans.edu/diary/ |
| Microsoft Security Update Guide | https://msrc.microsoft.com/update-guide/ |
| Krebs on Security | https://krebsonsecurity.com/2026/03/microsoft-patch-tuesday-march-2026-edition/ |
| BleepingComputer | https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2026-patch-tuesday-fixes-2-zero-days-79-flaws/ |
| Cisco Talos | https://blog.talosintelligence.com/microsoft-patch-tuesday-march-2026/ |
| AskWoody (problematic update tracking) | https://www.askwoody.com |
On ne réfléchit pas, on patch!
