Microsoft Rolls Out March 2026 Patches, No Zero-Days but Several Critical Flaws
Microsoft Corp. today released its monthly security updates, addressing at least 77 vulnerabilities across Windows and other software. Unlike February's five active zero-day exploits, this month has no publicly exploited flaws—but experts warn that several patches demand immediate attention.
Two of the bugs were publicly disclosed prior to today's release. The first, CVE-2026-21262, is an elevation-of-privilege vulnerability in SQL Server 2016 and later editions. "This isn't just any elevation of privilege vulnerability—an authorized attacker can elevate to sysadmin over a network," said Adam Barnett of Rapid7. "The CVSS v3 base score of 8.8 is just below critical severity, but it would be a courageous defender who shrugs and defers this patch."
The second publicly known flaw is CVE-2026-26127, a vulnerability in .NET applications. According to Barnett, exploitation would likely cause a denial-of-service crash, though other attack types could emerge during a reboot.
Critical Office Exploits via Preview Pane
This month's Patch Tuesday includes two critical remote code execution bugs in Microsoft Office: CVE-2026-26113 and CVE-2026-26110. Both can be triggered simply by viewing a malicious message in the Preview Pane, increasing the risk for email-heavy organizations.
Privilege Escalation Bugs Dominate
Satnam Narang at Tenable notes that over half (55%) of all vulnerabilities patched this month are privilege escalation flaws. Six of these are rated "exploitation more likely" by Microsoft, affecting components such as Windows Graphics, Accessibility Infrastructure, Kernel, SMB Server, and Winlogon. Key examples include:
- CVE-2026-24291: Incorrect permission assignments in Windows Accessibility Infrastructure – CVSS 7.8
- CVE-2026-24294: Improper authentication in the core SMB component – CVSS 7.8
- CVE-2026-24289: Memory corruption and race condition – CVSS 7.8
- CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero – CVSS 7.8
First AI-Discovered Vulnerability Recognized by Microsoft
Ben McCarthy, lead cyber security engineer at Immersive, highlighted CVE-2026-21536, a critical remote code execution flaw in the Microsoft Devices Pricing Program. Though already resolved on Microsoft's end and requiring no user action, McCarthy noted its significance: "It's one of the first vulnerabilities identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system." The bug was discovered by XBOW, an autonomous AI penetration testing agent.
Background: Microsoft's Monthly Patch Cycle
Microsoft releases security updates on the second Tuesday of each month, known as Patch Tuesday. Organizations are urged to test and deploy patches quickly, especially those rated critical or flagged as publicly known. The March 2026 edition continues a trend of high-volume fixes, with privilege escalation bugs remaining a persistent threat.
What This Means for Organizations
IT administrators should prioritize patching the SQL Server vulnerability (CVE-2026-21262) and the two Office remote code execution bugs (CVE-2026-26113, CVE-2026-26110) given their network-based attack vectors. The six privilege escalation flaws marked as "exploitation more likely" also warrant immediate attention, especially the Winlogon bug discovered by Google Project Zero.
While no zero-days are present, the combination of publicly disclosed flaws and critical Office vulnerabilities makes this a high-priority patch cycle. The emergence of AI-discovered vulnerabilities suggests the threat landscape is evolving—automated agents may find flaws faster than traditional methods, compressing the window for defense.