On Tuesday, Microsoft announced the release of patches addressing 84 new security vulnerabilities across its software products, including two critical zero-day flaws that have been publicly disclosed. Out of these, eight vulnerabilities are deemed Critical, while the remaining 76 are categorized as Important. The update addresses a range of issues, including privilege escalation, remote code execution, information disclosure, spoofing, denial-of-service, and security feature bypass.
Key Vulnerabilities and Their Impact
This month’s update also includes fixes for 10 vulnerabilities in Microsoft’s Chromium-based Edge browser, following the February 2026 Patch Tuesday release. Among the two publicly known zero-days, CVE-2026-26127 is a denial-of-service flaw in .NET with a CVSS score of 7.5, and CVE-2026-21262 is an elevation of privilege issue in SQL Server scoring 8.8.
The highest CVSS rated vulnerability patched this month is a critical remote code execution flaw, CVE-2026-21536, in the Microsoft Devices Pricing Program, with a score of 9.8. Microsoft has confirmed that this vulnerability has been fully mitigated, requiring no user intervention. The discovery of this flaw is credited to the AI-powered XBOW platform.
Focus on Privilege Escalation Flaws
Privilege escalation bugs accounted for over half of the vulnerabilities addressed this month, with six marked as more likely to be exploited across several Windows components. These types of vulnerabilities are often leveraged by attackers post-compromise to gain elevated permissions on a system. Notably, the Winlogon flaw, CVE-2026-25187, allows attackers to exploit improper link resolution for SYSTEM-level access, as identified by Google Project Zero’s James Forshaw.
The Winlogon vulnerability, due to its low complexity and lack of user interaction requirements, poses a significant threat once initial access is gained. Additionally, CVE-2026-26118, a server-side request forgery vulnerability in Azure’s Model Context Protocol server, could enable attackers to escalate privileges over a network by exploiting the MCP server’s managed identity token.
Addressing Critical Information Disclosure
Among the Critical vulnerabilities patched, an information disclosure issue in Excel, CVE-2026-26144, stands out. This flaw involves cross-site scripting due to improper input neutralization during web page generation. Exploitation could lead to data exfiltration via Copilot Agent mode, posing significant risks in environments where Excel files contain sensitive information.
According to Alex Vovk, CEO of Action1, such vulnerabilities are particularly concerning in corporate settings where confidential data could be extracted without triggering alerts. Organizations using AI-assisted productivity features may face additional exposure, as automated processes could inadvertently share sensitive information.
In response to these security challenges, Microsoft is enhancing the default behavior of Windows Autopatch by implementing hotpatch security updates. This change, effective from May 2026, aims to accelerate patch deployment, achieving up to 90% compliance in half the time without necessitating restarts.
Through these updates, Microsoft continues to prioritize the security and integrity of its software, addressing both immediate threats and implementing long-term protective measures.
