March 2026 Patch Tuesday: 78 Vulnerabilities Including Zero-Day Under Active Exploitation

- 4 mins read

Commissioned, curated and published by Russ. Researched and written with AI.

78 CVEs patched on March 10, 2026. Two zero-days disclosed before the patch shipped. Three Critical-rated flaws. And the one the vendors are calling out as most urgent is a privilege escalation in SQL Server that lets an authenticated user climb all the way to sysadmin.

The Zero-Days

CVE-2026-21262 (CVSS 8.8) – SQL Server Elevation of Privilege. Improper access control allows an authorized attacker to escalate privileges over a network. The flaw was originally documented in Erland Sommarskog’s article on “Packaging Permissions in Stored Procedures” before Microsoft had a patch ready – making it publicly known and actively exploitable before the fix landed. CybersecurityNews and the Gopher Security analysis both flag this as actively exploited in the wild. BleepingComputer notes Microsoft hadn’t confirmed exploitation at time of release. Either way: patch SQL Server first.

CVE-2026-26127 (CVSS 7.5) – .NET Denial of Service. An out-of-bounds read allows an unauthenticated attacker to trigger a denial of service over a network. Publicly disclosed before patch. Lower severity but worth tracking given how widely .NET is deployed.

Critical Flaws

Three Critical-rated vulnerabilities this cycle:

CVE-2026-26113 and CVE-2026-26110 – Microsoft Office Remote Code Execution. Both are exploitable via the preview pane, which means no file opening required. An attacker just needs to get a malicious document in front of a user’s Outlook preview. This is the kind of thing that bypasses the “don’t open attachments” advice entirely. Patch Office immediately.

CVE-2026-26144 – Microsoft Excel Information Disclosure. The unusual bit here is the Copilot angle. Microsoft’s advisory notes that a successful exploit could cause Copilot Agent mode to exfiltrate data via unintended network egress – a “zero-click information disclosure attack” in their words. The classification as Critical despite being an info disclosure flaw signals the scope of what can leak.

The Broader Surface

43 of the 78 CVEs are Elevation of Privilege. That ratio matters: EoP flaws are the second stage of almost every modern intrusion chain. An attacker who gets code execution via a phishing payload or web exploit then needs to escalate – and this patch cycle handed attackers a menu to choose from before it was fixed.

Specific EoPs worth noting:

  • CVE-2026-26132 – Windows Kernel EoP
  • CVE-2026-24291 – Windows Accessibility Infrastructure (ATBroker.exe) EoP
  • CVE-2026-24294 – Windows SMB Server EoP
  • CVE-2026-25187 – Winlogon EoP
  • CVE-2026-26148 – Azure AD SSH Login extension for Linux EoP

On the RCE side beyond Office:

  • CVE-2026-26114 and CVE-2026-26106 – SharePoint Server RCE. SharePoint sits on internal networks and is a high-value lateral movement target.
  • CVE-2026-26111, CVE-2026-25172, CVE-2026-25173 – Windows Routing and Remote Access Service (RRAS) RCE. Three separate RRAS flaws in one cycle.
  • CVE-2026-23669 – Windows Print Spooler RCE. Print Spooler is still delivering problems in 2026.
  • CVE-2026-25190 – GDI Remote Code Execution.

Cloud-facing fixes include several Azure Arc and Azure IoT Explorer flaws, plus EoPs in the Azure Connected Machine Agent (CVE-2026-26117) and Azure MCP Server Tools (CVE-2026-26118). If you’re running Arc-enabled Windows VMs, those go on the priority list.

The Patching Window Problem

This is where the operational pressure lies. Rapid7’s 2026 Global Threat Landscape Report found that the median time between a vulnerability’s publication and its inclusion in the CISA KEV catalog has dropped from 8.5 days to 5.0 days. Attackers are using patch diffing tools to reverse-engineer fixes and build exploits within 24 to 48 hours of a patch release.

Meanwhile, responsible patch management – testing, staging, rollout – realistically takes two weeks minimum for most enterprise environments. A BitSight analysis cited by Gopher Security notes that private sector admins are routinely missing urgent patching deadlines for the most severe CVEs.

The gap is structural. Defenders are operating on testing cycles. Attackers are operating on automated exploit generation pipelines.

Beyond Microsoft

March Patch Tuesday also brought fixes from other vendors:

  • Fortinet patched multiple vulnerabilities enabling malicious command execution, plus a separate FortiManager flaw.
  • Ivanti released fixes for Desktop and Server Management privilege escalation.
  • SAP patched multiple RCE-class vulnerabilities.
  • Zoom Workplace for Windows had privilege escalation bugs patched this cycle.

What to Do Now

Prioritise in this order:

  1. SQL Server – CVE-2026-21262. Patch this now. Don’t wait for a maintenance window.
  2. Microsoft Office – CVE-2026-26110 and CVE-2026-26113. Preview-pane RCE is a high-probability attack vector in email-heavy environments.
  3. Excel/Copilot – CVE-2026-26144 if Copilot is deployed.
  4. SharePoint – if externally accessible or on a sensitive internal network.
  5. RRAS – if routing services are exposed.
  6. Azure Arc / Connected Machine Agent – if running hybrid environments.

The 43 EoP flaws can wait slightly longer in terms of initial access risk, but they compound every other vulnerability on this list. A clean network with unpatched EoPs is still a network where a single foothold becomes a full compromise.

If your patch cadence is measured in weeks, the 5-day exploitation window is already past for this cycle. Plan accordingly for April.