MICROSOFT’S March 2026 Patch Tuesday addressed 83 vulnerabilities across Windows and multiple Microsoft products and components, with two publicly disclosed zero-days included in the fixes, though neither has been confirmed as actively exploited at release.
The two zero-days are CVE-2026-26127 (CVSS 7.5) – a .NET Denial of Service flaw that could be exploited remotely over a network – and CVE-2026-21262 (CVSS 8.8) – a SQL Server Elevation of Privilege vulnerability that could allow an authenticated attacker to gain SQLAdmin-level privileges over a network.
Eight vulnerabilities were classified as critical, including CVE-2026-21536 (CVSS 9.8) for Microsoft Devices Pricing Program Remote Code Execution, and several Office and Azure-related flaws such as CVE-2026-26110, CVE-2026-26113, CVE-2026-26144, CVE-2026-23651, CVE-2026-26124 and CVE-2026-26125. The report notes that the two Office RCE flaws require no user interaction and that the Excel information disclosure weakness could be particularly concerning in Microsoft 365 Copilot environments.
Organisations are advised to prioritise patching, especially for SQL Server environments, Azure-related services, and the broader set of high-risk and potentially weaponisable vulnerabilities.