News
Microsoft March Patch Tuesday: 8 Critical Bulletins and 2 Zero-Days
Microsoft's March 2026 Patch Tuesday includes fixes for 83 vulnerabilities affecting Windows, Office, SQL Server, Azure and .NET.
Microsoft's March 2026 Patch Tuesday includes fixes for 83 vulnerabilities affecting Windows, Office, SQL Server, Azure and .NET. Eight are rated Critical. Two had been publicly disclosed before patches were released.
Two Zero-Days, but No Sign of Active Exploitation
The two publicly disclosed flaws affect .NET and SQL Server.
CVE-2026-26127 is a denial-of-service vulnerability in .NET caused by an out-of-bounds read. It could let an unauthorized attacker disrupt service over a network without authentication. CVE-2026-21262 is an elevation-of-privilege flaw in SQL Server that could allow an authenticated user to gain SQLAdmin-level privileges over a network.
Satnam Narang, senior staff research engineer at Tenable, said neither appears urgent. "These bugs are more bark than bite," Narang said. "The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited."
Narang said another pattern in this month's release is worth noting: 55 percent of the CVEs are privilege escalation flaws. Six of those were rated "exploitation more likely" and affect the Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. "We know these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means," Narang said.
Eight Critical Bulletins
Of the eight Critical vulnerabilities patched this month, three affect Microsoft Office and Excel and require customer patching. The other five -- involving Microsoft ACI Confidential Containers, the Devices Pricing Program and a GitHub dependency flaw -- were remediated by Microsoft on the back end and require no customer action.
The three customer-actionable Critical flaws all involve Microsoft's Office suite. Two can be triggered through the Preview Pane, meaning a user may only need to view a malicious document for exploitation to occur.
CVE-2026-26113 is a remote code execution flaw in Microsoft Office caused by an untrusted pointer dereference. Jack Bicer, director of vulnerability research at Action1, said the risk is serious. "Memory handling flaws in everyday productivity tools can quickly turn routine work into a security incident," Bicer said. Because Office files are widely shared inside and outside organizations, he said, one malicious document could give attackers an opening into the broader network.
CVE-2026-26110 is another Office remote code execution flaw. It stems from a type confusion issue that can lead to improper memory handling when Office accesses a resource using an incompatible data type. The Preview Pane can trigger the flaw without the file being fully opened. Mike Walters, president and co-founder of Action1, said the risk is straightforward. "A single memory handling mistake inside Office can allow attackers to run their own code, turning an ordinary document into a potential system takeover," Walters said.
The third Critical flaw requiring customer action, CVE-2026-26144, is an information disclosure vulnerability in Microsoft Excel tied to improper input neutralization during Web page generation. Alex Vovk, CEO and co-founder of Action1, said the issue reflects a newer risk area. "A single malicious Excel interaction could silently leak sensitive data across the network, turning a simple spreadsheet into a covert data exfiltration channel," Vovk said. Microsoft said the flaw could allow Copilot Agent mode to exfiltrate sensitive data without user interaction, creating a possible zero-click scenario for organizations using AI-assisted productivity tools.
Other Notable Fixes
The release also includes
CVE-2026-23654, a Critical remote code execution vulnerability tied to the GitHub repository "zero-shot-scfoundation." Microsoft remediated the issue without requiring customer action. Bicer said the flaw was caused by an improperly controlled third-party package dependency that could allow a malicious package to be substituted through the public PyPI registry during installation, putting development pipelines and CI/CD environments at risk.
Also patched is CVE-2026-26118, a server-side request forgery elevation-of-privilege flaw in Azure Model Context Protocol tools. Narang said MCP servers have become more widely used as connectors between large language models and agentic AI applications, making them a more attractive target. "It has become even more critical to secure these tools from cybercriminals," Narang said.
Two SharePoint Server remote code execution flaws, a Windows RRAS remote code execution bug and four separate Excel remote code execution vulnerabilities were also included in the release.
Updates are available now through Windows Update, Windows Server Update Services and the Microsoft Update Catalog. A complete list of security bulletins can be found here.