MICROSOFT Patch Tuesday for March 2026, published on 10 March 2026, fixes at least 77 vulnerabilities across Windows and related software, with no pressing zero-days this month. Two flaws were publicly disclosed previously: CVE-2026-21262, affecting SQL Server 2016 and later, and CVE-2026-26127, a .NET application issue; both are addressed in this update.
Among the critical items are remote code execution flaws in Microsoft Office (CVE-2026-26113 and CVE-2026-26110) that can be triggered by viewing a booby-trapped message in the Preview Pane. The article notes a concentration of privilege-escalation bugs this month, including several CVEs tied to Windows Graphics Component, Windows SMB Server, Winlogon and related areas, with multiple rated exploitation more likely.
It also highlights a notable CVE-2026-21536 tied to the Microsoft Devices Pricing Program, discovered by XBOW, an autonomous AI penetration testing agent, and patched by Microsoft, which illustrates AI-driven vulnerability discovery. Separately, Adobe issued updates for 80 vulnerabilities and Mozilla Firefox updated to v.148.0.2; for a full breakdown, see the Patch Tuesday post from SANS Internet Storm Center.
Please note that Microsoft also issued an out-of-band update on 2 March 2026 addressing a Windows Hello for Business certificate renewal issue, and Windows Server 2022 users were affected by that advisory. According to SANS Internet Storm Center’s Patch Tuesday post.