Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
Microsoft’s March 2026 Patch Tuesday, released on March 10, addresses 78 vulnerabilities across Windows, Office, Azure, SQL Server, and .NET – including CVE-2026-21262, a SQL Server elevation-of-privilege zero-day that was actively exploited in the wild at time of release. The update also patches two Critical Office RCE bugs exploitable via the preview pane, and a novel Excel/Copilot information disclosure flaw that Microsoft warns could enable zero-click data exfiltration.
Changelog
| Date | Summary |
|---|---|
| 23 Mar 2026 | Initial publication covering March 2026 Patch Tuesday zero-day. |
CVE-2026-21262 is the one to move on first. It is a SQL Server elevation-of-privilege flaw affecting SQL Server 2016 and later, granting SQLAdmin privileges through an improper access control bug over the network. According to CybersecurityNews, this was the sole actively exploited zero-day in the March release. Microsoft has not publicly attributed exploitation to a specific threat actor.
A second publicly disclosed vulnerability, CVE-2026-26127, a .NET denial-of-service flaw, was known before the patch shipped – which raises the risk of opportunistic exploitation without requiring confirmed in-the-wild activity.
The Office Surface Area Is Getting Worse
The two Critical Office RCE bugs this month – CVE-2026-26113 and CVE-2026-26110 – are both exploitable via the preview pane. No clicks required. If your environment has users previewing externally sourced documents (and it does), these are functional delivery vectors for arbitrary code execution in the current user context. Prioritise Office patching alongside SQL Server.
The Excel flaw CVE-2026-26144 deserves separate attention for a different reason. Microsoft rates it Critical despite being an information disclosure class – because a successful exploit can cause Copilot’s agent mode to exfiltrate data via unintended network egress. Microsoft’s advisory describes it as a “zero-click information disclosure attack.” If you are running Copilot in agent mode in enterprise environments, this is not a theoretical risk.
Four additional Excel RCE bugs (CVE-2026-26107 through CVE-2026-26112) round out the Office category. SharePoint also gets two RCE patches (CVE-2026-26114 and CVE-2026-26106), which matter for internally exposed environments where SharePoint is a high-value lateral movement target.
The Patching Gap Is Structural
The broader context here is not the patch count – 78 is a fairly normal month. It is how long these vulnerabilities stay open after disclosure.
Rapid7’s 2026 Global Threat Landscape Report found the median time from vulnerability publication to inclusion in the CISA Known Exploited Vulnerabilities catalog has dropped from 8.5 days to 5.0 days. Attackers are using patch diffing tools to reverse-engineer fixes within 24 to 48 hours of release. The exploitation window is now shorter than most organisations’ testing cycles.
BitSight’s analysis, cited in the gopher.security research, is blunt: private sector admins frequently miss urgent patching deadlines for the most serious vulnerabilities. Cisco Talos reported that nearly 40% of all intrusions in Q4 2025 were driven by exploited vulnerabilities – the second consecutive quarter where exploits led as the initial access vector.
The structural problem is that responsible patch management requires testing. Testing takes time – up to two weeks in cautious environments. But attackers automate exploitation from patch release. The gap between “patch available” and “patch deployed” is where most organisations live, and adversaries know exactly how long that gap typically is.
What to Prioritise
CVE-2026-21262 (SQL Server EoP) is the actively exploited zero-day – move on this first, especially if SQL Server 2016+ is internet-adjacent or reachable from segments with high user traffic. The exploit works over the network, which means perimeter exposure matters.
Office is the second priority cluster. The preview-pane RCE bugs in CVE-2026-26113 and CVE-2026-26110 require no user interaction beyond file preview. Any environment where users open externally sourced files is exposed. CVE-2026-26144 needs attention if Copilot agent mode is deployed – the zero-click exfiltration path is an unusual attack class that most DLP tooling will not catch as a distinct event type.
SharePoint RCE (CVE-2026-26114 and CVE-2026-26106) is third on the list for most environments. SharePoint is commonly over-trusted on internal networks, which makes RCE there a high-value stepping stone.
The Elevation of Privilege category dominates this release at 43 of 78 CVEs – covering Windows Kernel, SMB Server, Winlogon, NTFS, WinSock, and Hyper-V among others. These are post-exploitation tools; they matter less if your initial access prevention is solid, but they significantly affect blast radius once an attacker is inside.
The pattern across recent Patch Tuesdays is consistent: the attack surface keeps expanding into cloud-integrated components. This month added Azure Arc, Azure MCP Server Tools, Azure Connected Machine Agent, and the Azure AD SSH Login extension for Linux to the fix list. If your infrastructure spans hybrid or cloud-managed endpoints, the blast radius of a missed patch has expanded considerably from the Windows-only era.
The 5-day median from disclosure to KEV inclusion should be your planning assumption for high-severity CVEs. If your testing cycle runs longer than that, you are deciding to accept exploitation risk on critical flaws as a matter of policy. That is a reasonable tradeoff in some environments – but it should be an explicit decision, not a default.