March 2026 Patch Tuesday: 78 Vulnerabilities Including Zero-Day Under Active Exploitation
Commissioned, curated and published by Russ. Researched and written with AI.
Changelog
| Date | Summary |
|---|---|
| 23 Mar 2026 | Initial publication. |
78 Vulnerabilities, Two Zero-Days, and a Narrowing Window
Microsoft’s March 2026 Patch Tuesday dropped with 78 vulnerabilities addressed across Windows, Office, SQL Server, Azure, and .NET. Two of those were publicly disclosed zero-days before fixes were available, and security researchers across Tenable, BleepingComputer, and CrowdStrike flagged several more as rated “exploitation more likely.”
The headlining zero-day is CVE-2026-21262 – an improper access control flaw in Microsoft SQL Server carrying a CVSS score of 8.8. A logged-in user with low privileges can exploit it over the network using crafted SQL requests to silently escalate to sysadmin level. No user interaction is required beyond the initial foothold. With sysadmin access, an attacker can read, modify, or delete data, create new accounts, and reconfigure database jobs. Researcher Erland Sommarskog originally disclosed the underlying weakness in documentation around SQL Server’s cross-database chain permissions – meaning the vulnerability’s existence was publicly understood before Microsoft issued a patch.
The second zero-day is CVE-2026-26127, an out-of-bounds read vulnerability in .NET 9.0 and 10.0 (CVSS 7.5). It affects the .NET runtime itself, not any single application, meaning every .NET app built on affected versions is potentially at risk. The outcome is denial of service: an attacker can remotely crash .NET processes, knocking out APIs, payment services, or line-of-business apps until patched and restarted.
The Office Attack Surface
Three Critical-rated vulnerabilities in Microsoft Office deserve immediate attention. CVE-2026-26110 and CVE-2026-26113 are remote code execution flaws that can be triggered through the Office preview pane – meaning a user does not need to open a malicious document. Previewing it in Windows Explorer or Outlook is sufficient. Both are rated Critical.
The third is CVE-2026-26144, an information disclosure flaw in Microsoft Excel. According to Microsoft’s advisory, a successful exploit could cause Copilot Agent mode to exfiltrate data via unintended network egress – a zero-click information disclosure path that requires no user interaction at all. The Copilot integration makes this one worth treating as higher priority than its classification might suggest.
Beyond Office, the update also patches Azure ACI Confidential Container elevation of privilege flaws (CVE-2026-23651 and CVE-2026-26124, both Critical), Windows Print Spooler RCE, three Windows RRAS remote code execution bugs, and a Kerberos security feature bypass. Satnam Narang at Tenable noted that over half of this month’s CVEs were privilege escalation bugs, with six rated exploitation more likely across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon.
The Patching Problem is Structural
The vulnerability count is almost secondary to the timeline problem. A BitSight analysis cited by Gopher Security found that private sector admins routinely miss urgent patching deadlines for high-severity CVEs – not through negligence, but because responsible patch management involves testing cycles that can run up to two weeks before production rollout.
The attackers do not have that constraint. Patch diffing tools – which compare patched and unpatched binaries to reverse-engineer the underlying vulnerability – allow threat actors to weaponize newly released patches within 24 to 48 hours. Cisco Talos reported that nearly 40% of all intrusions in Q4 2025 involved exploited vulnerabilities as the initial access vector. Rapid7’s 2026 Global Threat Landscape Report found the median time from vulnerability publication to inclusion in the CISA Known Exploited Vulnerabilities catalog dropped from 8.5 days to 5.0 days year over year.
That gap – two weeks for a careful enterprise patch cycle versus 24-48 hours for a weaponized exploit – is where most breaches happen.
What to Prioritise
For organisations running SQL Server in multi-user environments, CVE-2026-21262 should be treated as urgent. Privilege escalation to sysadmin with no user interaction required is the kind of vulnerability that becomes the second act in a breach rather than the first. An attacker with any valid low-privilege account can use it to take full database control.
For environments running Microsoft Office, the two preview-pane RCE flaws (CVE-2026-26110, CVE-2026-26113) are the most likely to be weaponised against end users. Preview-pane exploits have a strong track record of appearing in phishing campaigns shortly after patch release, because the barrier to triggering them is low – the victim only needs to receive a file in Outlook.
The .NET denial of service (CVE-2026-26127) affects any application running on .NET 9.0 or 10.0 regardless of OS, including Linux and macOS deployments. If you’re running .NET microservices or public-facing APIs on non-Windows infrastructure, this one applies to you.
The Broader Context
Ransomware leak posts increased 46.4% year over year according to Rapid7’s 2026 Global Threat Landscape Report, even as incident rates fluctuated. The exploitation economics are straightforward: vulnerability disclosure timelines are compressing, exploitation tooling is increasingly automated, and patch management processes built for a slower era have not kept pace.
The March 2026 Patch Tuesday is not an anomaly. It is a typical month. The question for security teams is not whether patches exist – they do, and they are available now. The question is whether the testing and deployment pipeline is fast enough to close the window before it becomes an entry point.
If your SQL Server instances are not patched for CVE-2026-21262 within the next 48-72 hours, treat them as a live risk.