Microsoft Patch Tuesday March 2026: 77 Vulnerabilities Fixed, No Zero-Days, Key Patches Highlighted

Microsoft Patch Tuesday March 2026: 77 Vulnerabilities Addressed

Microsoft Corp. today released security updates to address at least 77 vulnerabilities in its Windows operating systems and other software. Unlike February’s release, which included five zero-day flaws, this month’s Patch Tuesday does not feature any pressing zero-day vulnerabilities. However, organizations using Windows are advised to prioritize certain patches due to their potential impact.

Publicly Disclosed Vulnerabilities

Two of the vulnerabilities patched this month were previously disclosed publicly:

• CVE-2026-21262: A privilege escalation flaw in SQL Server 2016 and later editions. According to Rapid7’s Adam Barnett, this vulnerability allows an authorized attacker to elevate privileges to sysadmin over a network. While the CVSS v3 base score is 8.8 (just below critical severity), Barnett noted that deferring patches for this flaw would be a risky decision for defenders.
• CVE-2026-26127: A vulnerability in applications running on .NET. Exploitation is likely to result in a denial of service via a crash, with potential for further attacks during service reboot.

Critical Microsoft Office Exploits

This month’s Patch Tuesday includes two critical remote code execution (RCE) flaws in Microsoft Office:

• CVE-2026-26113
• CVE-2026-26110

These vulnerabilities can be triggered simply by viewing a malicious message in the Preview Pane. Satnam Narang of Tenable noted that 55% of all Patch Tuesday CVEs this month are privilege escalation bugs, with six rated as "exploitation more likely."

Notable Privilege Escalation Vulnerabilities

The following privilege escalation vulnerabilities, all rated with a CVSS score of 7.8, require immediate attention:

• CVE-2026-24291: Incorrect permission assignments in the Windows Accessibility Infrastructure, allowing access to SYSTEM.
• CVE-2026-24294: Improper authentication in the core SMB component.
• CVE-2026-24289: High-severity memory corruption and race condition flaw.
• CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero.

AI-Discovered Vulnerability in Microsoft Devices Pricing Program

Ben McCarthy, lead cybersecurity engineer at Immersive, highlighted CVE-2026-21536, a critical remote code execution bug in the Microsoft Devices Pricing Program. Microsoft has already resolved the issue, and no action is required from Windows users. However, this vulnerability is notable as one of the first to be identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system.

The vulnerability was discovered by XBOW, a fully autonomous AI penetration testing agent that has consistently ranked at or near the top of the HackerOne bug bounty leaderboard for the past year. McCarthy emphasized that CVE-2026-21536 demonstrates how AI agents can identify critical 9.8-rated vulnerabilities without access to source code.

"Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed. This development suggests AI-assisted vulnerability research will play a growing role in the security landscape."