March 2026 Patch Tuesday: 78 Vulnerabilities, Two Publicly Disclosed Zero-Days, and a Copilot Data Exfil Bug

- 4 mins read

Commissioned, Curated and Published by Russ. Researched and written with AI.

Microsoft released its March 2026 Patch Tuesday updates on March 10, 2026, covering 78 vulnerabilities across Windows, Office, SQL Server, Azure, and .NET. Two of those were publicly disclosed before the patch landed – which Microsoft classifies as zero-days. Neither had confirmed in-the-wild exploitation at release, though reporting varies. One has a CVSS score of 8.8 and a clear privilege escalation path to database admin.

This is a quieter month than February’s six zero-days, but “quieter” doesn’t mean you can slow down. The broader threat context is getting worse fast.

The Two Zero-Days

CVE-2026-21262 is the one worth moving on first. It’s a SQL Server elevation-of-privilege vulnerability affecting SQL Server 2016 and later. According to Microsoft, improper access control allows an authorized attacker to elevate privileges over a network. Malwarebytes describes it as allowing a logged-in user to climb the privilege ladder to potentially reach sysadmin.

The flaw was publicly disclosed prior to patching in an article titled “Packaging Permissions in Stored Procedures” by Erland Sommarskog, whom Microsoft credits with the discovery. Public disclosure means the attack surface is known and documented. CVSS 8.8. Patch it now.

CyberSecurityNews reported this as actively exploited at release. BleepingComputer, Krebs on Security, PCWorld, and CyberScoop all reported no confirmed active exploitation at time of release. The discrepancy is worth noting – “publicly disclosed” and “actively exploited” are different classifications, and the majority of coverage puts this in the former camp. Either way, a documented privilege escalation path to sysadmin on SQL Server is not a “patch next sprint” situation.

CVE-2026-26127 is a .NET denial-of-service flaw – an out-of-bounds read that allows an unauthenticated attacker to deny service over a network. Also publicly disclosed before the fix shipped. Lower severity, but DoS on .NET runtime is broadly applicable across enterprise environments.

The Copilot Exfil Bug

CVE-2026-26144 is a Critical-rated Excel information disclosure vulnerability. On the surface, “information disclosure” doesn’t sound alarming. The mechanism is.

Microsoft’s advisory explains that successful exploitation could cause Copilot Agent mode to exfiltrate data via unintended network egress – enabling a zero-click information disclosure attack. An attacker who gets a malicious Excel file in front of a Copilot-enabled user could potentially trigger silent data exfiltration without any further interaction. If you’re running Copilot for Microsoft 365, this is your highest-priority patch this month, severity classification notwithstanding.

Office RCE via Preview Pane

CVE-2026-26110 and CVE-2026-26113 are both Critical-rated Microsoft Office remote code execution vulnerabilities. Both are exploitable via the preview pane – meaning a user doesn’t have to open a document, just preview it in Explorer or Outlook. Arbitrary code execution in the context of the current user. Patch before your next phishing wave.

The Broader Vulnerability Landscape

The 78-fix patch drop lands against a backdrop that should concern any team still treating patching as a monthly checkbox.

Cisco Talos reported that nearly 40 percent of all intrusions in Q4 2025 involved exploited vulnerabilities, marking the second consecutive quarter where exploits led initial access. The Rapid7 2026 Global Threat Landscape Report found that the median time between vulnerability publication and inclusion in the CISA Known Exploited Vulnerabilities catalog dropped from 8.5 days to 5.0 days over the past year. Attackers are using patch-diffing tools to develop working exploits within 24 to 48 hours of a fix landing.

A BitSight analysis cited by Gopher Security found that private sector admins routinely miss urgent patching deadlines for the most serious vulnerabilities. The reason is structural: responsible patch management involves testing cycles that run up to two weeks. Attackers don’t test. They ship.

That gap – between your patch cycle and the attacker’s exploitation timeline – is where intrusions happen. When the median time to confirmed exploitation is measured in days, a two-week testing window is an opening, not a buffer.

What to Prioritise

In rough order:

  1. CVE-2026-21262 – SQL Server EoP, CVSS 8.8, publicly disclosed path to sysadmin. Patch SQL Server instances immediately.
  2. CVE-2026-26144 – Excel/Copilot data exfiltration. Zero-click. Critical. If Copilot for M365 is deployed, this is urgent.
  3. CVE-2026-26110 / CVE-2026-26113 – Office RCE via preview pane. Broad attack surface, Critical severity.
  4. CVE-2026-26127 – .NET DoS, publicly disclosed. Lower immediate risk but wide applicability.
  5. Windows Kernel EoP cluster (CVE-2026-26132, CVE-2026-24289, CVE-2026-24287), Windows SMB Server (CVE-2026-26128, CVE-2026-24294), and SharePoint RCE (CVE-2026-26114, CVE-2026-26106) should all be in your first deployment wave.

The full advisory list is on the Microsoft Security Response Center.

Five days is roughly how long you have before a significant CVE starts appearing in exploit kits. For the items above, assume less.

Sources: CyberSecurityNews, BleepingComputer, Gopher Security, Rapid7 2026 Global Threat Landscape Report, Cisco Talos IR Trends Q4 2025