Microsoft has rolled out updates addressing 83 security vulnerabilities in its March 2026 Patch Tuesday release. While none of these flaws have been identified as actively exploited, two have been publicly disclosed, according to the company’s advisories.
Publicly Disclosed Vulnerabilities
The disclosed vulnerabilities include CVE-2026-26127, a denial-of-service (DoS) issue in .NET, and CVE-2026-21262, an elevation of privilege flaw in SQL Server. Experts, including Tenable’s Satnam Narang, suggest these flaws are not easily exploitable. The DoS vulnerability requires prior authorization, and the privilege escalation bug is also considered low-risk.
Critical Vulnerabilities and Mitigations
The update addresses a critical-severity vulnerability, CVE-2026-21536, with a CVSS score of 9.8. This remote code execution flaw in the Devices Pricing Program has been mitigated by Microsoft, needing no further action from users. Another notable issue is CVE-2026-26118, an elevation of privilege defect in Azure MCP Server Tools, which could be exploited through malicious input.
Additional Patch Details
Narang also highlights potential concerns regarding privilege escalation issues in Windows components such as Graphics Component, Accessibility Infrastructure, Kernel, SMB Server, and Winlogon. Tyler Reguly from Fortra emphasizes the importance of secure asset management, particularly in cloud systems where five Azure vulnerabilities were patched, including an elevation of privilege in Azure Linux Virtual Machines and vulnerabilities in Azure IoT Explorer.
Alongside these, Microsoft has addressed 10 non-Microsoft CVEs, with fixes for Microsoft Semantic Kernel Python SDK and several in Microsoft Edge, which is Chromium-based.
Looking Ahead
Security experts advise Chief Security Officers (CSOs) to maintain comprehensive asset inventories to ensure timely patch deployment. As Microsoft continues to enhance its security measures, staying informed on these updates is crucial for IT teams. Concurrently, Adobe has released fixes for 80 vulnerabilities in its products, highlighting a continued industry-wide focus on cybersecurity.
