Microsoft’s March Patch Tuesday is a busy one! Microsoft patched 84 vulnerabilities this month, including two publicly disclosed zero-day issues and eight critical vulnerabilities. Privilege escalation flaws dominate the release again, making up more than half of the patched issues, with remote code execution not far behind as a major concern.
You can find Microsoft’s full March 2026 security update notes here, and it might be worth noting that Microsoft separately addressed additional Edge (Chromium-based) issues earlier in the month.
84 vulnerabilities patched
2 publicly disclosed zero-day vulnerabilities
8 critical vulnerabilities
Privilege escalation made up the largest share of this month’s fixes
What is a Zero-Day vulnerability?
A zero-day vulnerability is a security flaw that becomes known to attackers before defenders have had a fair chance to patch it. In practice, that means there are effectively zero days of warning once details are public or exploitation begins. Even where exploitation has not yet been confirmed, a publicly disclosed flaw usually raises the urgency because attackers now know exactly what to start testing against exposed systems.
CVE-2026-21262 – SQL Server Elevation of Privilege Vulnerability
Description: This publicly disclosed flaw affects Microsoft SQL Server and could allow an authenticated attacker to elevate privileges over the network due to improper access control. Successful exploitation could result in SQL sysadmin privileges.
Impact: If abused, this could give an attacker effectively full administrative control over the affected SQL environment, with obvious implications for sensitive business data, application back ends, and anything else tied to that database estate.
Remediation: Prioritise patching all affected SQL Server instances, especially those supporting production applications, customer data, internal reporting, or internet-facing services.
CVE-2026-26127 – .NET Denial of Service Vulnerability
Description: This publicly disclosed .NET flaw is an out-of-bounds read vulnerability affecting .NET 9.0 and 10.0 on Windows, macOS, and Linux.
Impact: While this is not a code execution issue, it could still be used to disrupt services or crash applications that rely on vulnerable .NET components. For organisations running customer-facing portals, internal apps, or API services on modern .NET stacks, that still makes it worth swift attention.
Remediation: Patch affected .NET environments promptly and check externally exposed services first, especially where uptime is critical.
Here are the critical CVEs from this month’s release:
| Product / Component | CVE | Title | Severity |
|---|---|---|---|
| Azure Compute Gallery | CVE-2026-23651 | Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability | Critical |
| Azure Compute Gallery | CVE-2026-26124 | Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability | Critical |
| Azure Compute Gallery | CVE-2026-26122 | Microsoft ACI Confidential Containers Information Disclosure Vulnerability | Critical |
| Microsoft Devices Pricing Program | CVE-2026-21536 | Microsoft Devices Pricing Program Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-26110 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-26113 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office Excel | CVE-2026-26144 | Microsoft Excel Information Disclosure Vulnerability | Critical |
| Payment Orchestrator Service | CVE-2026-26125 | Payment Orchestrator Service Elevation of Privilege Vulnerability | Critical |
A few other March fixes stand out because of where they land operationally:
CVE-2026-26118 – Azure MCP Server Tools Elevation of Privilege
This one is especially interesting because it affects Azure Model Context Protocol (MCP) Server tooling. Microsoft says an attacker could submit crafted input that causes the MCP Server to make an outbound request and potentially expose its managed identity token. In plain English: if you are experimenting with agentic AI workflows or MCP-connected services, this deserves immediate review.
Winlogon, Kernel and SMB Server privilege escalation flaws
Several local privilege escalation bugs this month were rated “exploitation more likely” by Microsoft or highlighted by researchers, including issues in Winlogon, the Windows Kernel, and Windows SMB Server. These types of flaws are often used after initial access to move from a limited foothold to SYSTEM-level control.
SharePoint and RRAS remote code execution issues
March also includes RCE fixes affecting Microsoft SharePoint Server and Windows Routing and Remote Access Service (RRAS), both of which can sit in important enterprise workflows and deserve careful prioritisation where deployed.
With two publicly disclosed zero days and a heavy bias toward privilege escalation, March is less about panic and more about disciplined prioritisation. Here are the steps worth taking now:
Patch SQL Server as a priority
CVE-2026-21262 should be near the top of the list, particularly where SQL Server underpins customer platforms, internal applications, or shared business systems.
Move quickly on Office and Excel updates
The critical Office and Excel flaws reinforce an old lesson: document-based attack paths are still very relevant. User endpoints, finance teams, operations staff, and anyone regularly handling Office attachments should be patched promptly.
Review privilege escalation exposure, not just perimeter risk
Because over half of this month’s fixes are elevation-of-privilege issues, it is worth checking where existing access, local admin rights, or weak segmentation could make post-compromise escalation easier than it should be.
Check cloud and AI-connected services
If your environment includes Azure Arc, Azure agents, Azure AD SSH login, or MCP-related tooling, review those systems specifically rather than letting them wait in the general patch queue.
Use the month as a patching process check-in
Microsoft has also announced that Windows Autopatch will enable hotpatch security updates by default for eligible devices starting with the May 2026 security update, aimed at speeding up compliance without waiting for restarts. That is a useful reminder that patching is not just about this month’s CVEs, but also about how quickly your process gets fixes into production.
March’s Patch Tuesday is a good example of why vulnerability management is never just about the headline zero-day count. Yes, the two publicly disclosed issues matter, but the bigger pattern this month is the volume of privilege escalation flaws across Windows, SQL Server, Office, and cloud-connected components. Organisations need a clear patching rhythm, good asset visibility, and a realistic understanding of what is actually exposed.
It's one of the recurring challenges; it's not just applying updates, it’s understanding where your real exposure is. A lot of organisations still struggle with basic visibility across internet-facing infrastructure, cloud services, and externally exposed assets.
That’s where our platform comes in. By continuously mapping your external attack surface, RoboShadow helps MSPs and security teams quickly identify which systems are exposed, which vulnerabilities matter most, and where patching should be prioritised. That means less guesswork during Patch Tuesday and a clearer view of the risks that actually affect your environment.
As always, thank you for your continuous support and feedback, and if you have any questions, please don’t hesitate to reach out to us at hello@roboshadow.com