MICROSOFT released security updates for 79 vulnerabilities in this month’s Patch Tuesday, including two publicly disclosed zero-days, in a welcome relief for sysadmins. The first zero-day is CVE-2026-21262, an SQL Server elevation of privilege bug with a CVSS score of 8.8, described by Rapid7 principal software engineer Adam Barnett as just below critical because low-level privileges are required. According to him, public disclosure means exploitation is less likely but patching remains prudent.
The second zero-day is CVE-2026-26127, a denial-of-service flaw in .NET, with exploitation in the wild described as potentially more serious than it appears by Barnett, who warned that downtime could trigger SLA breaches or revenue loss.
The article notes that, overall, there are three critical-rated vulnerabilities this month, with the majority being elevation of privilege issues, including CVE-2026-23668 in the Windows Graphics Component, CVE-2026-24294 in the Windows SMB Server and CVE-2026-24289 in the Windows Kernel, as highlighted by Ben McCarthy of Immersive. The piece is written by Phil Muncaster and dated 11 March 2026.