MARCH 2026 Patch Tuesday fixes two zero-day vulnerabilities, with Malwarebytes noting that Microsoft released updates covering 79 CVEs, including the two zero-days. The vulnerability tracked as CVE-2026-21262, a flaw in Microsoft SQL Server rated CVSS 8.8, could allow a logged-in user to climb to database administrator and manipulate data or configurations over crafted SQL requests without user interaction.
CVE-2026-26127, a flaw in Microsoft’s .NET platform affecting .NET 9.0 and 10.0, can remotely crash .NET applications across Windows, macOS and Linux, leading to denial of service. Also addressed are two Office remote code execution flaws, CVE-2026-26110 and CVE-2026-26113, exploitable via the preview pane, plus a Microsoft Excel information disclosure flaw CVE-2026-26144 that could enable data exfiltration via Copilot.
The article notes there is no indication these vulnerabilities were actively exploited and explains how to apply the fixes through Windows Update, including guidance on checking for updates and restarting as required.