Microsoft Patches 83 Flaws in March 2026, Two Zero-Days Disclosed

Microsoft released its March 2026 Patch Tuesday security updates yesterday, addressing 83 vulnerabilities across Windows, Office, Azure, SQL Server, and .NET. Two of those flaws were publicly disclosed as zero-days before patches became available.

TL;DR

• What happened: Microsoft patched 83 CVEs, including 2 zero-days disclosed before fixes were ready
• Who's affected: Windows, Office, SQL Server, .NET, Azure, and SharePoint deployments
• Severity: 8 Critical, 75 Important
• Action required: Prioritize SQL Server and .NET patches for publicly disclosed flaws

The Zero-Day Disclosures

The two publicly disclosed vulnerabilities stand out from the pack:

CVE-2026-21262 is an elevation of privilege bug in SQL Server with a CVSS score of 8.8. Attackers who exploit this flaw can gain sysadmin privileges through local access. Microsoft rates exploitation as "Less Likely" despite the public disclosure, but SQL Server environments handling sensitive data should patch immediately.

CVE-2026-26127 affects .NET 9.0 and 10.0 across Windows, macOS, and Linux. This denial-of-service vulnerability scores 7.5 on the CVSS scale. While the impact is availability rather than code execution, production .NET applications should apply updates before attackers weaponize the public details.

Neither zero-day shows evidence of active exploitation yet. That said, disclosed vulnerabilities attract attention from threat actors looking for quick wins.

Critical Remote Code Execution Flaws

Beyond the zero-days, Microsoft fixed eight Critical-severity vulnerabilities. The most dangerous affect Microsoft Office:

CVE-2026-26110 and CVE-2026-26113 are remote code execution bugs scoring 8.4 each. Both can be triggered through the Preview Pane in Outlook or File Explorer, meaning victims don't even need to open a malicious file. An attacker just needs to get a weaponized document into a user's mailbox or downloads folder.

SharePoint administrators should also pay attention. CVE-2026-26114 is a deserialization vulnerability that enables remote code execution without authentication on on-premises SharePoint Server deployments. This pattern of unauthenticated RCE in SharePoint has been a recurring problem for Microsoft, and organizations running self-hosted SharePoint should test and deploy this patch quickly.

Breakdown by Category

Looking at the full patch bundle:

• Elevation of Privilege: 46 vulnerabilities (55.4%)
• Remote Code Execution: 17 vulnerabilities (20.5%)
• Denial of Service: 9 vulnerabilities
• Information Disclosure: 7 vulnerabilities
• Security Feature Bypass: 4 vulnerabilities

The heavy emphasis on privilege escalation bugs reflects ongoing attacker interest in post-compromise lateral movement. Once inside a network, elevating from standard user to admin or SYSTEM is often the critical step.

Notable High-Severity Patches

Several other patches deserve attention even without Critical ratings:

CVE-2026-25177 addresses an elevation of privilege flaw in Active Directory Domain Services. Authenticated attackers could use this to compromise domain controllers, the keys to any enterprise Windows environment. We've covered authentication bypass patterns in network appliances before, and AD vulnerabilities often enable similar attack chains.

CVE-2026-25170 is a use-after-free in Windows Hyper-V enabling local privilege escalation. Organizations running virtualized workloads should patch hypervisor hosts as a priority.

CVE-2026-26118 affects Azure MCP Server, allowing attackers to elevate privileges using obtained managed identity tokens. Cloud-native deployments should review Azure component updates.

What to Patch First

For organizations prioritizing limited maintenance windows:

1. SQL Server systems - CVE-2026-21262 is publicly disclosed and targets a common attack vector
2. .NET production apps - CVE-2026-26127 could enable DoS against web services
3. SharePoint on-premises - Unauthenticated RCE is always high-priority
4. Office installations - Preview Pane attacks don't require user interaction
5. Active Directory - AD compromises enable complete domain takeover

Why This Matters

This patch release continues a trend of hefty monthly updates from Microsoft. The CISA KEV catalog frequently adds Microsoft vulnerabilities within weeks of patch releases when exploitation is detected, making prompt patching essential.

The Preview Pane attack vector in Office is particularly concerning. Users trained to avoid opening suspicious attachments can still be compromised just by selecting an email in their inbox. These "zero-click" or "no-click" scenarios bypass much of the user education security teams invest in.

Organizations should also track the SQL Server and .NET zero-days closely. Public disclosure without evidence of exploitation is a grace period, not a guarantee. Threat actors monitor patch releases to identify vulnerable targets who haven't updated yet.

FAQ

Are these zero-days being actively exploited?

Not according to Microsoft's current assessment. Both CVE-2026-21262 and CVE-2026-26127 were publicly disclosed before patches were available, but no exploitation has been observed yet. This status can change quickly once patches reveal the vulnerability details.

Should I prioritize this over last month's updates?

Both matter. If you're behind on patches, focus first on any vulnerabilities already in CISA's Known Exploited Vulnerabilities catalog, then address this month's disclosed zero-days and Critical-rated RCE bugs.