Overview: 77 Patches, No Zero-Days This Cycle
Microsoft released its March 2026 Patch Tuesday security update bundle today, addressing at least 77 vulnerabilities across Windows operating systems and related software. Unlike February's update cycle — which contained five actively exploited zero-day flaws — this month brings no such pressing emergency. That said, security researchers are pointing to several patches that warrant prioritized attention from enterprise defenders.
Previously Disclosed Vulnerabilities Now Patched
Two of the 77 bugs fixed this month had already been publicly disclosed before today's patches arrived, giving potential attackers advance notice of the weaknesses.
CVE-2026-21262: SQL Server Privilege Escalation
The first publicly known flaw, CVE-2026-21262, affects SQL Server 2016 and later editions. It allows an authenticated attacker to elevate their privileges to sysadmin level over a network connection. Rapid7's Adam Barnett weighed in on the severity, noting that while the vulnerability's CVSS v3 base score of 8.8 falls just below the critical threshold — because it requires low-level privileges to initiate — organizations should not treat that as a reason to delay patching.
"This isn't just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network. It would be a courageous defender who shrugged and deferred the patches for this one." — Adam Barnett, Rapid7
CVE-2026-26127: .NET Denial-of-Service Risk
The second pre-disclosed flaw, CVE-2026-26127, affects applications running on .NET. According to Barnett, the most immediate exploitation impact is likely limited to denial of service via an application crash, though other attack types may become possible during a service reboot window.
Critical Microsoft Office Remote Code Execution
Continuing a long-standing Patch Tuesday tradition, this month includes critical remote code execution vulnerabilities in Microsoft Office. CVE-2026-26113 and CVE-2026-26110 are both RCE flaws that can be triggered simply by viewing a maliciously crafted message in the Preview Pane — no file opening or user confirmation required. The Preview Pane attack vector makes these particularly dangerous in enterprise email environments.
Privilege Escalation Dominates This Month's CVE Landscape
Tenable's Satnam Narang observed that just over 55% of all Patch Tuesday CVEs this month are privilege escalation bugs. Of those, six were rated exploitation more likely, spanning several core Windows components: Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon.
The six "exploitation more likely" privilege escalation CVEs include:
- CVE-2026-24291 — Incorrect permission assignments in the Windows Accessibility Infrastructure, enabling elevation to SYSTEM level (CVSS 7.8)
- CVE-2026-24294 — Improper authentication in the core SMB component (CVSS 7.8)
- CVE-2026-24289 — High-severity memory corruption and race condition flaw (CVSS 7.8)
- CVE-2026-25187 — A weakness in the Winlogon process, discovered by Google Project Zero (CVSS 7.8)
AI Agent Makes History With CVE-2026-21536
Perhaps the most notable entry in this month's advisory is CVE-2026-21536, a critical remote code execution vulnerability in the Microsoft Devices Pricing Program component, rated CVSS 9.8. Microsoft has already resolved the issue server-side, requiring no action from end users.
What sets this CVE apart is its origin: it was discovered by XBOW, described as a fully autonomous AI penetration testing agent. XBOW has consistently ranked at or near the top of the HackerOne bug bounty leaderboard for the past year, and this marks one of the first vulnerabilities identified by an AI agent to receive an official CVE attribution tied to the Windows operating system.
Ben McCarthy, lead cybersecurity engineer at Immersive, highlighted the broader significance of this discovery, noting that XBOW identified a 9.8-rated critical vulnerability without access to source code.
"Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed. This development suggests AI-assisted vulnerability research will play a growing role in the security landscape." — Ben McCarthy, Immersive
Additional Updates: Browsers, Windows Server, and Third-Party Software
Beyond the core Patch Tuesday count of 77 fixes, Microsoft separately addressed nine browser vulnerabilities earlier in the month, which are not included in today's tally.
Microsoft also issued a critical out-of-band emergency update on March 2 for Windows Server 2022 to resolve a certificate renewal problem affecting Windows Hello for Business, the company's passwordless authentication technology.
On the third-party front:
- Adobe shipped updates patching 80 vulnerabilities — some critical — across products including Acrobat and Adobe Commerce.
- Mozilla Firefox version 148.0.2 resolves three high-severity CVEs.
Resources for Staying Current
For a comprehensive breakdown of every patch Microsoft released today, the SANS Internet Storm Center's Patch Tuesday post provides detailed analysis. Windows enterprise administrators looking to monitor reports of problematic updates after deployment are encouraged to check AskWoody.com on an ongoing basis.
Source: Krebs on Security