Overview of the March 2026 Security Update
Microsoft released its monthly security patches on March 2026 Patch Tuesday, addressing a total of 77 vulnerabilities across Windows and other software. Unlike February, which saw five actively exploited zero-day flaws, this month’s update contains no zero-day bugs under active attack. However, security experts urge organizations to prioritize several patches due to their potential impact. Below, we break down the most critical fixes and what they mean for IT teams.
Publicly Disclosed Vulnerabilities
SQL Server Elevation of Privilege – CVE-2026-21262
One of the two publicly known flaws is CVE-2026-21262, an elevation of privilege vulnerability affecting SQL Server 2016 and later. An authenticated attacker can exploit this over a network to gain sysadmin privileges. Rapid7’s Adam Barnett warns: “This isn’t just any elevation of privilege vulnerability; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network. The CVSS v3 base score of 8.8 is just below the threshold for critical severity since low-level privileges are required. It would be a courageous defender who shrugged and deferred the patches for this one.” Administrators should apply this patch promptly.
.NET Denial of Service – CVE-2026-26127
The second publicly disclosed bug is CVE-2026-26127, a weakness in applications running on .NET. According to Barnett, immediate exploitation likely causes a denial-of-service crash, but other attack types could surface during a service reboot. While less severe, it remains a risk for environments relying on .NET frameworks.
Critical Office Vulnerabilities via Preview Pane
This month’s Patch Tuesday includes two critical remote code execution (RCE) flaws in Microsoft Office: CVE-2026-26113 and CVE-2026-26110. Both can be triggered simply by previewing a malicious email in the Outlook Preview Pane—no additional user interaction required. These deserve immediate attention, especially for organizations that handle sensitive communications through Office products.
Privilege Escalation Bugs Dominate
Satnam Narang at Tenable notes that over half (55%) of all March Patch Tuesday CVEs are privilege escalation vulnerabilities. Among them, six are rated “exploitation more likely” by Microsoft. These include:
- CVE-2026-24291: Incorrect permission assignments in Windows Accessibility Infrastructure, allowing SYSTEM-level access (CVSS 7.8)
- CVE-2026-24294: Improper authentication in the core SMB component (CVSS 7.8)
- CVE-2026-24289: High-severity memory corruption and race condition (CVSS 7.8)
- CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero (CVSS 7.8)
These affect core Windows components including Graphics Component, Accessibility Infrastructure, Kernel, SMB Server, and Winlogon. Prioritizing their deployment can prevent attackers from gaining elevated privileges.
AI-Discovered Vulnerability in Devices Pricing Program
Ben McCarthy, lead cyber security engineer at Immersive, highlights CVE-2026-21536, a critical RCE bug in the Microsoft Devices Pricing Program. Microsoft has already resolved the issue server-side, requiring no action from Windows users. However, McCarthy notes its significance as one of the first vulnerabilities identified by an autonomous AI penetration testing agent (XBOW) and officially assigned a CVE. This marks a milestone in AI-assisted security research.
Recommendations for IT Teams
Although no zero-day exploits are currently active, the March 2026 Patch Tuesday carries substantial risk from publicly known flaws (especially SQL Server), critical Office RCE, and a flood of privilege escalation vulnerabilities. Security teams should prioritize CVE-2026-21262, CVE-2026-26113 and CVE-2026-26110, and the “exploitation more likely” privilege escalation bugs. Testing and deploying these patches swiftly will reduce exposure to potential attacks.