March 2026 Patch Tuesday: 78 Vulnerabilities Including Zero-Day Under Active Exploitation
Commissioned, Curated and Published by Russ. Researched and written with AI.
Microsoft’s March 2026 Patch Tuesday landed on March 10 with 78 fixes across Windows, Office, Azure, SQL Server, and .NET. One of them – CVE-2026-21262 – was already being exploited in the wild at release time.
That’s the number that matters. Not 78. One. Actively exploited. Patches are available and attackers are already ahead of most deployment windows.
The Zero-Day: CVE-2026-21262
Microsoft hasn’t publicly attributed active exploitation to a specific threat actor, but the classification is clear: in-the-wild attacks were confirmed before the patch shipped. Per CyberSecurityNews, organizations should prioritise this one without delay.
A second CVE – CVE-2026-26127, a .NET denial-of-service flaw – was publicly disclosed before patching. No confirmed exploitation yet, but the exploit surface is now open. Those two things tend to converge quickly.
What Else Is in This Update
Of the 78 CVEs, 43 are Elevation of Privilege flaws. That’s 55% of the entire update. EoP volume at this scale is a signal: attackers already inside your environment have a lot of options for moving laterally or escalating.
Three vulns received Critical ratings:
- CVE-2026-26113 and CVE-2026-26110 – both Microsoft Office RCE, both exploitable via the preview pane. No attachment open required.
- CVE-2026-26144 – Excel information disclosure, rated Critical. The angle here is unusual: Microsoft notes a successful exploit could cause Copilot Agent mode to exfiltrate data via unintended network egress. Zero-click information disclosure via an AI assistant is a new category of problem.
The Office preview pane vectors are particularly relevant for anyone running Office in shared or high-trust environments. No user action beyond opening a mail client is needed.
The Structural Problem
The patch exists. That’s step one. Step two is where organisations consistently fail.
Gopher Security, citing BitSight analysis, notes that private sector admins routinely miss urgent patching deadlines for the most serious vulnerabilities. This isn’t a technical problem. It’s an operational one. Responsible patch management requires testing cycles that can run up to two weeks. Attackers using patch diffing can weaponise a new vulnerability within 24 to 48 hours.
Rapid7’s 2026 Global Threat Landscape Report puts harder numbers on it: the median time from vulnerability publication to inclusion in CISA’s Known Exploited Vulnerabilities catalog has dropped from 8.5 days to 5.0 days. The window is closing faster than most patch cadences can track.
Cisco Talos data from Q4 2025 shows nearly 40% of all intrusions that quarter came from exploited flaws – the second consecutive quarter where exploits led initial access over phishing.
The Takeaway
CVE-2026-21262 should be in your next change window. If your next change window is more than 48 hours out, it’s worth asking whether that cadence is still defensible for actively exploited zero-days.
The Copilot exfiltration angle in CVE-2026-26144 also deserves scrutiny beyond just patching. If your Office deployment has Copilot Agent mode enabled, understanding the blast radius of an Excel-based exfiltration chain is worthwhile regardless of patch status.
The gap between patch availability and patch deployment is where most breaches live. This month’s update is a clear illustration of why that gap is increasingly untenable.
Sources: CyberSecurityNews, BleepingComputer, Gopher Security / Rapid7 analysis