Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days

Microsoft on Tuesday released fixes for 84 new security vulnerabilities across Windows and related products, and said two of those flaws had already been publicly disclosed. Microsoft said eight of the issues are rated Critical and 76 are rated Important, and that the set includes a mix of privilege escalation, remote code execution, information disclosure, spoofing, denial-of-service, and security feature bypass bugs.

Key vulnerabilities and credits

Microsoft identified 46 privilege escalation bugs, 18 remote code execution flaws, and 10 information disclosure issues among the March patches, Microsoft said. Two publicly disclosed zero-days in this batch are CVE-2026-26127, a denial-of-service vulnerability in the .NET framework with a CVSS score of 7.5, and CVE-2026-21262, an elevation-of-privilege vulnerability in SQL Server with a CVSS score of 8.8, Microsoft added.

The highest-scoring issue in this release is a critical remote code execution flaw tracked as CVE-2026-21536 in the Microsoft Devices Pricing Program. Microsoft said the bug carries a 9.8 CVSS score and that it has been fully mitigated; the company credited autonomous vulnerability discovery platform XBOW with reporting the issue.

Tenable senior staff research engineer Satnam Narang highlighted an important trend: “This month, over half (55%) of all Patch Tuesday CVEs were privilege escalation bugs, and of those, six were rated exploitation more likely across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon.” Narang warned that “these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means.”

Notable technical details

One of the notable privilege escalation bugs is CVE-2026-25187 in Winlogon. Google Project Zero researcher James Forshaw is credited for reporting the issue. Jacob Ashdown, cybersecurity engineer at Immersive, said: “The flaw allows a locally authenticated attacker with low privileges to exploit a link-following condition in the Winlogon process and escalate to SYSTEM privileges. The vulnerability requires no user interaction and has low attack complexity, making it a straightforward target once an attacker gains a foothold.”

Another high-risk bug is CVE-2026-26118, a server-side request forgery problem in the Azure Model Context Protocol server. Microsoft explained that “an attacker could exploit this issue by sending specially crafted input to an Azure Model Context Protocol (MCP) Server tool that accepts user-provided parameters,” and that if the MCP Server makes an outbound request it may include its managed identity token, which an attacker could capture to assume the MCP Server’s permissions.

Among Critical-severity fixes is an information disclosure flaw in Excel, CVE-2026-26144. Microsoft warned the bug could be used to cause Copilot Agent mode to exfiltrate data in certain scenarios. Alex Vovk, CEO and co-founder of Action1, said: “Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records.” Vovk added that AI-assisted productivity features can increase exposure if automated agents unintentionally transmit sensitive data.

What administrators should do

Microsoft also said it is changing Windows Autopatch default behavior to enable hotpatch security updates for eligible devices, noting that applying fixes without waiting for a restart can speed compliance. Microsoft said: “Applying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, while you remain in control.”

Given the number and variety of flaws, security teams should prioritize applying Microsoft’s updates quickly after testing, Tenable’s Satnam Narang recommended in his guidance on exploitation risk. Organizations that delay patching risk exposure because publicly disclosed bugs and privilege escalation flaws are common components of multi-stage intrusions, researchers and vendors warned.

#Microsoft #PatchTuesday #Cybersecurity #ZeroDay #Windows