The second Tuesday of March 2026 delivered another significant security update cycle from Microsoft. This month’s Patch Tuesday addressed a substantial number of vulnerabilities across Windows, Office, Azure, SQL Server, Hyper-V, Edge, and several other Microsoft components.
Across all products, Microsoft fixed 84 vulnerabilities, with eight rated Critical and the rest Important. None of the vulnerabilities patched this month are known to be actively exploited, though two were publicly disclosed before patching.
Summary Overview
Publicly Disclosed Vulnerabilities
Two vulnerabilities were disclosed before patch availability, raising urgency:
1. CVE-2026-26127 — .NET Denial of Service
This vulnerability stems from an out-of-bounds read within .NET’s Base64Url decoding logic, causing applications running on .NET 9 and 10 to crash when processing malformed input. Because the flaw can be triggered remotely without authentication, attackers can disrupt services across Windows, Linux, and macOS environments with minimal effort. Microsoft assesses exploitation as less likely, though the public disclosure increases the risk of probing by opportunistic attackers. The issue affects multiple runtime builds of .NET and Microsoft.Bcl.Memory requiring updates to prevent service interruptions. Given the ease of network exploitation, organizations should patch promptly to avoid denial-of-service conditions.
2. CVE-2026-21262 — SQL Server Elevation of Privilege
This vulnerability is caused by improper access control within SQL Server, allowing a low-privileged authenticated user to escalate privileges to full sysadmin over a network. With a CVSS 8.8 severity rating, this vulnerability poses a serious risk, as gaining sysadmin rights enables complete control over databases, linked services, and SQL Server configuration. Microsoft confirmed that the flaw was publicly disclosed before a patch became available, raising its prioritization for enterprise defenders. The underlying weakness may be tied to permission handling in stored procedures and upgrade paths, making exploitation relatively straightforward for attackers with legitimate credentials. Applying Microsoft’s March 2026 SQL Server updates and enforcing least-privilege access are critical to mitigating the risk
Critical Vulnerabilities
CVE-2026-21536 — Microsoft Devices Pricing Program RCE
This critical remote code execution flaw impacts Microsoft’s Devices Pricing Program service, allowing attackers to execute arbitrary code without authentication or user interaction. The issue is network-exploitable, making it especially dangerous in cloud-connected enterprise environments. Microsoft has not shared detailed technical insights, but confirmed the vulnerability is fully mitigated on the service side, requiring no customer action. As the highest-severity flaw this month, it stands out for its broad reach across backend infrastructure. Its presence highlights the importance of securing auxiliary Microsoft service components often overlooked in traditional patching workflows.
CVE-2026-26110 & CVE-2026-26113 — Microsoft Office RCE
Both of these vulnerabilities enable remote code execution in Microsoft Office, triggered simply by viewing malicious files in the Preview Pane, making them high-risk despite Microsoft rating exploitation as less likely. They involve flaws in pointer handling and type confusion, which allow crafted files to bypass internal safety boundaries. Attackers can exploit these weaknesses to run arbitrary code with the user’s privileges, opening the door to malware deployment or lateral movement. Their inclusion in March 2026’s Critical category underlines consistent exploitation patterns seen in Office-based attack chains.
CVE-2026-26144 — Microsoft Excel Information Disclosure
This flaw in Microsoft Excel can allow attackers to read portions of heap memory, potentially leaking sensitive information processed by Excel. The vulnerability stems from improper memory handling in specific document structures, enabling attackers to craft files that expose internal data fragments. While not as severe as RCE, memory disclosure is often used as a precursor in exploit chains to bypass protections like ASLR.
CVE-2026-26122 & CVE-2026-26124 — Azure ACI Confidential Containers
These vulnerabilities affect Azure Confidential Containers by exposing weaknesses in initialization routines and privilege isolation boundaries. Improper defaults and permissive behavior allow authenticated attackers to extract sensitive information or escalate privileges within containerized workloads hosted in Azure ACI. While Microsoft has not provided deep technical breakdowns, both vulnerabilities were marked resolved with service-side mitigations, requiring no action from end users.
Affected Products
- .NET
- Active Directory Domain Services
- ASP.NET Core
- Azure Arc
- Azure Compute Gallery
- Azure Entra ID
- Azure IoT Explorer
- Azure Linux Virtual Machines
- Azure MCP Server
- Azure Portal Windows Admin Center
- Azure Windows Virtual Machine Agent
- Broadcast DVR
- Connected Devices Platform Service (Cdpsvc)
- GitHub Repo: zero-shot-scfoundation
- Mariner
- Microsoft Authenticator
- Microsoft Brokering File System
- Microsoft Devices Pricing Program
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Semantic Kernel Python SDK CVE-2026-26030 GitHub:
- Payment Orchestrator Service
- Push Message Routing Service
- Role: Windows Hyper-V
- SQL Server
- System Center Operations Manager
- Windows Accessibility Infrastructure (ATBroker.exe)
- Windows Ancillary Function Driver for WinSock
- Windows App Installer
- Windows Authentication Methods
- Windows Bluetooth RFCOM Protocol Driver
- Windows Device Association Service
- Windows DWM Core Library
- Windows Extensible File Allocation
- Windows File Server
- Windows GDI
- Windows GDI+
- Windows Kerberos
- Windows Kernel
- Windows MapUrlToZone
- Windows Mobile Broadband
- Windows NTFS
- Windows Performance Counters
- Windows Print Spooler Components
- Windows Projected File System
- Windows Resilient File System (ReFS)
- Windows Routing and Remote Access Service (RRAS)
- Windows Shell Link Processing
- Windows SMB Server
- Windows System Image Manager
- Windows Telephony Service
- Windows Universal Disk Format File System Driver (UDFS)
- Windows Win32K
- Winlogon
Remediation Guidance
1. Prioritize publicly disclosed and Critical vulnerabilities
Apply patches for CVE-2026-26127, CVE-2026-21262, and all Office RCE issues immediately.
2. Monitor environments for privilege elevation attempts
With more than half of March CVEs classified as EoP, ensure logging for login anomalies, token misuse, and SYSTEM-level privilege activity.
3. Patch Office and SQL workloads early
Office RCE and SQL EoP represent high-value attack vectors.
4. Do not delay cloud updates
Azure ACI, Azure Compute, and Azure identity components include vulnerabilities affecting confidential workloads and privilege boundaries.
5. Update endpoints, servers, and containerized environments uniformly
Broad system coverage means inconsistent patching can create pivot points for attackers.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.