Overview of March 2026 Patches
Microsoft released its monthly security updates on March 10, 2026, addressing at least 77 vulnerabilities across Windows and other software. Unlike February's five zero-day exploits, this month sees no actively exploited flaws—but several patches still demand urgent attention from organizations. Below, we highlight the most critical updates and emerging trends from this Patch Tuesday.
Publicly Disclosed Vulnerabilities
Two of the bugs patched today were previously disclosed, increasing the risk of exploitation before users apply fixes.
CVE-2026-21262: SQL Server Privilege Escalation
This vulnerability affects SQL Server 2016 and later editions, allowing an authenticated attacker to elevate privileges to sysadmin status over a network. According to Rapid7's Adam Barnett, the flaw carries a CVSS v3 base score of 8.8, just below critical severity. "It would be a courageous defender who shrugged and deferred the patches for this one," Barnett remarked. The publicly disclosed nature of this bug increases the urgency of applying the update.
CVE-2026-26127: .NET Applications at Risk
Another publicly known issue, CVE-2026-26127, impacts applications running on .NET. While the immediate impact is typically denial of service through crashes, Barnett warns that other attack vectors may emerge during service reboots. Organizations using .NET should prioritize this patch.
Critical Office Flaws Demand Immediate Action
Microsoft Office vulnerabilities remain a staple of Patch Tuesday, and March 2026 delivers two critical remote code execution (RCE) bugs: CVE-2026-26113 and CVE-2026-26110. Both can be triggered simply by viewing a malicious email in the Preview Pane, making them especially dangerous for businesses reliant on Outlook. Users are advised to apply the Office updates as soon as possible to block potential attacks.
Privilege Escalation Bugs Dominate This Month's Patches
Satnam Narang from Tenable notes that 55% of all CVEs this month are privilege escalation vulnerabilities. Among these, six are rated "exploitation more likely" by Microsoft, spanning multiple Windows components:
- CVE-2026-24291 – Incorrect permission assignments in the Windows Accessibility Infrastructure (CVSS 7.8)
- CVE-2026-24294 – Improper authentication in the core SMB component (CVSS 7.8)
- CVE-2026-24289 – High-severity memory corruption and race condition flaw (CVSS 7.8)
- CVE-2026-25187 – Winlogon process weakness discovered by Google Project Zero (CVSS 7.8)
- Two additional bugs in Windows Graphics Component and Windows Kernel (not detailed) also carry elevated risk.
These vulnerabilities could allow attackers to gain SYSTEM-level access, emphasizing the need for rapid deployment of the cumulative Windows update.
A Glimpse into the Future: AI-Discovered Vulnerability
One of the more intriguing updates this month is CVE-2026-21536, a critical remote code execution bug in the Microsoft Devices Pricing Program. Ben McCarthy, lead cyber security engineer at Immersive, highlights that this vulnerability was discovered by XBOW, a fully autonomous AI penetration testing agent. Microsoft has already resolved the issue server-side, requiring no action from Windows users. However, McCarthy notes that CVE-2026-21536 is one of the first flaws discovered by an AI agent to receive a CVE specifically attributed to the Windows operating system. XBOW has consistently ranked at or near the top in automated security testing, signaling a shift toward machine-driven vulnerability discovery.
Conclusion
While March 2026 lacks zero-day exploits, the volume of publicly disclosed and high-severity privilege escalation bugs demands vigilance. Critical Office RCE flaws and the emergence of AI-discovered vulnerabilities underscore evolving attack surfaces. Organizations should prioritize the updates for SQL Server, .NET, Microsoft Office, and the privilege escalation bugs listed above. As always, test patches in staging environments before full deployment to minimize disruption.