Microsoft Patch Tuesday March 2026 Fixes 78 Security Flaws Including One Zero-Day

Microsoft released its March 2026 Patch Tuesday security updates on March 10, fixing 78 vulnerabilities across Windows, Microsoft Office, Azure services, SQL Server, .NET, and several other products. The update also includes one actively exploited zero-day vulnerability, making this month’s patch cycle particularly important for system administrators and enterprise security teams.

The most urgent issue addressed in this release is CVE-2026-21262, an elevation of privilege vulnerability in SQL Server that attackers have already exploited in the wild. Microsoft confirmed that the flaw allows an attacker with limited access to escalate privileges within affected systems, which could lead to deeper compromise if combined with other vulnerabilities.

Security experts recommend deploying the March updates as soon as possible across enterprise environments, especially for servers and endpoints that run Microsoft Office, SQL Server, and Windows services exposed to internal or external networks.

Overview of the March 2026 Patch Tuesday Update

Microsoft addressed vulnerabilities affecting a wide range of software components including Windows kernel components, Azure cloud tools, Office applications, and developer frameworks such as .NET.

The vulnerabilities fall into several categories, with Elevation of Privilege flaws representing the majority of the fixes in this release.

Vulnerability distribution

Vulnerability Type	Number of Flaws
Elevation of Privilege	43
Remote Code Execution	16
Information Disclosure	9
Denial of Service	4
Spoofing	4
Security Feature Bypass	2
Total	78

Elevation of Privilege vulnerabilities remain the most common class of Windows security flaws because they allow attackers to move from a low-privilege foothold to full system control.

Actively Exploited Zero-Day Vulnerability

The most critical issue this month is CVE-2026-21262, which Microsoft lists as an actively exploited zero-day vulnerability.

Attackers who exploit this flaw can elevate privileges within SQL Server environments. Although exploitation requires some level of access to the system, it could allow attackers to gain administrative permissions and perform additional malicious actions.

Microsoft has not publicly identified the threat actor or campaign responsible for exploiting the vulnerability. However, security teams often treat actively exploited flaws as the highest priority during patch deployment.

Organizations running SQL Server should prioritize applying the update immediately.

Publicly Disclosed Vulnerability

Another notable flaw in this release is CVE-2026-26127, a denial of service vulnerability in .NET.

This vulnerability had already been publicly disclosed before Microsoft released the patch. Public disclosure increases risk because attackers may attempt to develop working exploits based on available technical information.

While Microsoft has not confirmed active exploitation, security researchers typically consider publicly disclosed vulnerabilities to carry elevated risk.

Critical vulnerabilities patched

Three vulnerabilities received Microsoft’s Critical severity rating, meaning they could cause severe damage if exploited.

These include:

• CVE-2026-26113 – Microsoft Office Remote Code Execution vulnerability
• CVE-2026-26110 – Microsoft Office Remote Code Execution vulnerability
• CVE-2026-26144 – Microsoft Excel Information Disclosure vulnerability

The two Office RCE flaws could allow attackers to run malicious code if a user opens a specially crafted document. Such vulnerabilities often become targets for phishing campaigns that distribute infected files through email.

The Excel vulnerability, although categorized as information disclosure, received a Critical rating because it could expose highly sensitive information.

Major affected components

Several key Microsoft technologies received security updates in this release.

Windows platform vulnerabilities

Multiple elevation of privilege vulnerabilities affect core Windows components such as:

• Windows Kernel
• Windows SMB Server
• Winlogon
• Windows DWM Core Library
• Windows Telephony Service

If exploited, these vulnerabilities could allow attackers to gain SYSTEM-level access.

Microsoft Office vulnerabilities

Office applications received several fixes including multiple remote code execution flaws in Excel and Office.

These vulnerabilities can be triggered when users open specially crafted files. Because Office documents are frequently shared through email and collaboration platforms, these flaws often become high-value targets for attackers.

SharePoint vulnerabilities

Two remote code execution vulnerabilities affect Microsoft SharePoint Server.

SharePoint servers often store critical organizational data and can be accessible across corporate networks. Exploiting these vulnerabilities could allow attackers to execute arbitrary code on affected servers.

Azure and cloud platform vulnerabilities

Microsoft also addressed several vulnerabilities affecting Azure components and hybrid cloud tools, including:

• Azure Connected Machine Agent
• Azure MCP Server Tools
• Azure IoT Explorer
• Azure AD SSH Login extension for Linux
• Hybrid Worker Extension for Arc-enabled Windows VMs

These patches are important for organizations using hybrid cloud infrastructure or Azure-connected services.

Notable vulnerabilities fixed in March 2026

Several vulnerabilities stand out because they affect widely deployed services or critical infrastructure components.

Remote code execution vulnerabilities

• CVE-2026-26114 – Microsoft SharePoint Server RCE
• CVE-2026-26106 – Microsoft SharePoint Server RCE
• CVE-2026-26111 – Windows Routing and Remote Access Service RCE
• CVE-2026-25190 – Windows GDI Remote Code Execution
• CVE-2026-26107 – Microsoft Excel RCE
• CVE-2026-26108 – Microsoft Excel RCE
• CVE-2026-26109 – Microsoft Excel RCE
• CVE-2026-26112 – Microsoft Excel RCE

Elevation of privilege vulnerabilities

• CVE-2026-26132 – Windows Kernel EoP
• CVE-2026-26128 – Windows SMB Server EoP
• CVE-2026-25187 – Winlogon EoP
• CVE-2026-25189 – Windows DWM Core Library EoP
• CVE-2026-26148 – Azure AD SSH Login extension EoP

Other notable fixes

• CVE-2026-26130 – ASP.NET Core Denial of Service
• CVE-2026-26131 – .NET Elevation of Privilege
• CVE-2026-26123 – Microsoft Authenticator Information Disclosure
• CVE-2026-26121 – Azure IoT Explorer Spoofing
• CVE-2026-25186 – Windows Accessibility Infrastructure Information Disclosure

Why Patch Tuesday updates matter

Patch Tuesday remains Microsoft’s primary schedule for releasing coordinated security updates across its ecosystem.

Organizations that delay patching may expose their infrastructure to attackers who attempt to exploit newly disclosed vulnerabilities. Threat actors often analyze patch releases to identify weaknesses in unpatched systems.

Applying updates quickly reduces the window of opportunity for exploitation.

Recommended actions for security teams

Organizations should take the following steps after the March Patch Tuesday release.

• Prioritize patching CVE-2026-21262 immediately
• Deploy updates across all Windows endpoints and servers
• Update Microsoft Office installations across the organization
• Patch SQL Server and SharePoint deployments
• Review Azure and hybrid cloud environments for affected services
• Monitor systems for suspicious activity after patch deployment

Testing updates in staging environments before wide deployment remains a best practice for enterprise environments.

FAQ