Microsoft Patch Tuesday March 2026: 79 Vulnerabilities Addressed, Including Two Zero-Days and Critical RCE Flaws
The March 2026 release of Microsoft Patch Tuesday has introduced significant security updates that address a total of 79 vulnerabilities across various Microsoft products. This includes two publicly disclosed zero-day vulnerabilities and multiple high-risk issues related to remote code execution (RCE). The updates encompass essential software such as SQL Server, .NET, Microsoft Office, SharePoint Server, and Azure services.
Overview of Vulnerabilities
Among the vulnerabilities addressed in this release, three have been classified as “Critical.” Two of these critical vulnerabilities are associated with remote code execution, while the third involves an information disclosure flaw affecting Microsoft Excel. Although the two zero-day vulnerabilities were disclosed prior to the update, Microsoft has reported no evidence of their exploitation in real-world scenarios.
Breakdown of Security Updates
The March 2026 security updates cover a broad spectrum of vulnerabilities categorized as follows:
- 46 Elevation of Privilege Vulnerabilities
- 18 Remote Code Execution Vulnerabilities
- 10 Information Disclosure Vulnerabilities
- 4 Denial of Service Vulnerabilities
- 4 Spoofing Vulnerabilities
- 2 Security Feature Bypass Vulnerabilities
The substantial number of remote code execution vulnerabilities is particularly alarming, as these flaws can enable attackers to execute malicious code on targeted systems. Consequently, it is crucial for users to apply the March updates promptly to mitigate the risks associated with these security issues.
Zero-Day Vulnerabilities
Two zero-day vulnerabilities were disclosed before patches were made available. Microsoft defines a zero-day vulnerability as a flaw that becomes publicly known or actively exploited before an official fix is released.
CVE-2026-21262 – SQL Server Elevation of Privilege Vulnerability
One of the zero-day vulnerabilities addressed in this release affects SQL Server. This flaw permits attackers with authorized access to escalate privileges over a network, potentially gaining SQL administrator permissions. Microsoft stated that improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
The vulnerability has a CVSS score of 8.8 and could enable attackers to obtain SQL sysadmin privileges once logged into a vulnerable system. It was discovered by security researcher Erland Sommarskog, who previously discussed the issue in an article titled “Packaging Permissions in Stored Procedures.”
CVE-2026-26127 – .NET Denial of Service Vulnerability
The second zero-day vulnerability impacts Microsoft .NET. It arises from an out-of-bounds read that could allow an unauthenticated attacker to cause a denial-of-service condition remotely. Microsoft noted that this out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. The flaw was reported by an anonymous researcher, and while it has been publicly disclosed, Microsoft indicated that exploitation appears unlikely.
Critical Remote Code Execution Vulnerabilities in Microsoft Office
The March Patch Tuesday release also addresses two critical remote code execution vulnerabilities within Microsoft Office. Both vulnerabilities could allow attackers to execute malicious code locally and can be triggered through the Preview Pane, meaning a user may not need to open a file for exploitation to occur. Due to the associated risks, Microsoft recommends prioritizing updates for Office installations.
Additionally, another Office-related issue, CVE-2026-26109, is categorized as “Important” and involves an out-of-bounds read in Excel. Successful exploitation of this vulnerability could allow attackers to execute code locally and compromise affected systems.
Excel Vulnerability Raises Data Exfiltration Concerns
One of the most significant issues patched during this release is CVE-2026-26144, a critical information disclosure vulnerability affecting Microsoft Excel, with a CVSS score of 7.5. This vulnerability stems from improper neutralization of input in Excel, potentially allowing attackers to extract sensitive information through a zero-click attack involving Microsoft Copilot.
Microsoft explained that an attacker who successfully exploited this vulnerability could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack. The flaw does not utilize the Preview Pane as an attack vector and currently has no known exploit code, with Microsoft assessing exploitation as unlikely.
Security analysts from Project Overwatch have warned about the potential implications of this vulnerability, describing it as an unusual attack technique that leverages AI features. They noted that CVE-2026-26144 is unlike any other vulnerability seen in recent years, emphasizing its unique nature as a zero-click attack that could silently exfiltrate sensitive data from Excel spreadsheets.
SharePoint and Azure Security Issues
The March Patch Tuesday update also includes fixes for remote code execution vulnerabilities affecting Microsoft SharePoint Server. Both vulnerabilities allow authenticated attackers with Site Member permissions to execute code remotely on a SharePoint Server.
Another issue, CVE-2026-26118, affects Azure MCP Server Tools. This elevation-of-privilege vulnerability is caused by server-side request forgery (SSRF). Attackers could exploit it by sending crafted input to a Model Context Protocol server tool, potentially capturing a managed identity token and accessing resources associated with that identity.
Additional Privilege Escalation Risks
Several vulnerabilities rated as “Important” have also been flagged as more likely to be exploited. These include issues affecting:
- Windows Graphics Component
- Windows Kernel
- Windows Accessibility Infrastructure (ATBroker.exe)
- Windows SMB Server
- WinSock Ancillary Function Driver
- Winlogon
One notable flaw, CVE-2026-26128, affects Windows SMB Server and allows attackers to gain SYSTEM privileges if successfully exploited.
As reported by thecyberexpress.com, the March 2026 Patch Tuesday release underscores the critical need for organizations to remain vigilant and apply security updates promptly to safeguard their systems against emerging threats.
