Microsoft has released its March 2026 Patch Tuesday security update, fixing 79 vulnerabilities across Windows, Office, SQL Server, .NET, and other products. The update includes patches for 2 publicly disclosed zero-day vulnerabilities and 3 critical-rated flaws, making this a high-priority update for all Windows users and IT administrators.
The Two Zero-Days
CVE-2026-21262 — SQL Server Elevation of Privilege (CVSS 8.8)
This high-severity vulnerability in Microsoft SQL Server 2016 and later allows a logged-in user to quietly escalate their privileges and potentially become a full database administrator (sysadmin). With sysadmin access, an attacker can read, modify, or delete data, create new accounts, and tamper with database configurations. Security researchers describe this as one not to defer — if you’re running SQL Server, patch immediately.
CVE-2026-26127 — .NET Denial of Service (CVSS 7.5)
This vulnerability in Microsoft .NET 9.0 and 10.0 across Windows, macOS, and Linux allows an attacker to remotely crash .NET applications. For public-facing web APIs, payment services, or line-of-business apps built on affected .NET versions, this can mean real-world outages. The flaw lives in the .NET runtime itself, meaning any application built on affected versions is at risk.
Critical Office Vulnerabilities
Two critical remote code execution flaws in Microsoft Office deserve special attention: CVE-2026-26113 and CVE-2026-26110. Both can be triggered simply by viewing a maliciously crafted message in Outlook’s Preview Pane — meaning you don’t even need to open an attachment. This is a particularly dangerous attack vector since many users preview emails without thinking twice.
AI-Discovered Vulnerability
One notable aspect of this Patch Tuesday is CVE-2026-21536, a critical 9.8-rated vulnerability discovered by an AI security agent called XBOW — without access to source code. This marks an emerging trend of AI-assisted vulnerability discovery that is accelerating the pace at which critical flaws are found and disclosed.
How to Update
On Windows 11: Settings → Windows Update → Check for updates
On Windows 10: Settings → Update & Security → Windows Update
Server administrators should prioritize SQL Server patches and the Windows Server 2022 out-of-band update released March 2 for Windows Hello for Business.
