ACCORDING to Microsoft, Patch Tuesday 2026 for March sees 77 vulnerabilities published, with Microsoft noting public disclosure of two issues but no evidence of exploitation in the wild for any of today’s flaws and therefore no Microsoft additions to CISA KEV this month. Earlier in March, patches addressed nine browser vulnerabilities that are not included in the Patch Tuesday count.
A notable item is CVE-2026-21262, a SQL Server elevation of privilege vulnerability affecting versions from SQL Server 2025 back to SQL Server 2016 SP3, with a CVSS v3 base score of 8.8, which could allow an authorized attacker to elevate privileges to sysadmin over a network via xp_cmdshell, which remains disabled by default but can be enabled by a SQL Server sysadmin in seconds.
Another entry is CVE-2026-26127, a .NET denial of service vulnerability, with exploitation risks described as potential pauses or crashes and knock-on effects during service reboot. The Microsoft Authenticator vulnerability CVE-2026-26123 is highlighted for QR code impersonation, requiring the user to interact and potentially allowing MFA disruption if the malicious app is installed on a device.