Microsoft Patch Tuesday, March 2026 Edition

Source: Krebs on Security

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero‑day” flaws this month (compared to February’s five zero‑day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tuesday.

Publicly disclosed vulnerabilities

• CVE‑2026‑21262 – A privilege‑escalation weakness in SQL Server 2016 and later editions. An authorized attacker can elevate privileges to sysadmin over a network. (CVSS v3 base score: 8.8)
• CVE‑2026‑26127 – A vulnerability in applications running on .NET. Exploitation is likely limited to denial‑of‑service by triggering a crash, with potential for other attacks during a service reboot.

Microsoft Office remote‑code‑execution flaws

• CVE‑2026‑26113 – Remote code execution triggered by viewing a malicious message in the Preview Pane.
• CVE‑2026‑26110 – Same class of exploit as above.

Both are critical Office bugs that can be activated simply by opening a compromised email.

Privilege‑escalation bugs (55% of this month’s CVEs)

Satnam Narang at Tenable notes that a half‑dozen of these are rated “exploitation more likely” across various Windows components:

• CVE‑2026‑24291 – Incorrect permission assignments within the Windows Accessibility Infrastructure allowing SYSTEM access (CVSS 7.8)
• CVE‑2026‑24294 – Improper authentication in the core SMB component (CVSS 7.8)
• CVE‑2026‑24289 – High‑severity memory corruption and race‑condition flaw (CVSS 7.8)
• CVE‑2026‑25187 – Winlogon process weakness discovered by Google Project Zero (CVSS 7.8)

AI‑discovered critical vulnerability

Ben McCarthy, lead cyber‑security engineer at Immersive, highlighted CVE‑2026‑21536, a critical remote code execution bug in the Microsoft Devices Pricing Program. The issue was identified by XBOW, a fully autonomous AI penetration‑testing agent, and is the first AI‑generated vulnerability to receive an official CVE for Windows.

• Microsoft has already patched the flaw; no action is required from Windows users.
• The vulnerability received a CVSS rating of 9.8, underscoring the growing impact of AI‑assisted vulnerability research.

Additional Microsoft patches

• Nine browser‑related vulnerabilities were addressed (not included in the main Patch Tuesday count).
• An out‑of‑band emergency update on March 2 for Windows Server 2022 fixed a certificate renewal issue affecting passwordless authentication (Windows Hello for Business).

Other vendor updates

• Adobe released updates for 80 vulnerabilities (including critical issues) across products such as Acrobat and Adobe Commerce.
• Mozilla Firefox version 148.0.2 resolves three high‑severity CVEs.

References & further reading

• Full Microsoft Patch Tuesday breakdown – SANS Internet Storm Center:
• Ongoing Windows update news – AskWoody: