Microsoft Patch Tuesday security updates for March 2026 fixed 84 bugs

Microsoft Patch Tuesday security updates for March 2026 addressed 84 vulnerabilities in its products. None of the flaws are known to be exploited so far.

Microsoft Patch Tuesday security updates for March 2026 addressed 84 vulnerabilities across its products. The IT giant addressed flaws across Windows, Office, Edge, Azure, SQL Server, Hyper-V, and ReFS. Including third-party and Chromium updates, the total reaches 94 vulnerabilities. Eight flaws are rated Critical and the rest Important. Two vulnerabilities, tracked as CVE-2026-26127 and CVE-2026-21262, were publicly disclosed, but none is known to be actively exploited.

Below are the descriptions of these flaws:

• CVE-2026-26127 (CVSS score of 7.5) – .NET out-of-bounds read allows unauthenticated remote attackers to cause denial of service against .NET-based apps over the network.zh-tw.tenable+2
• CVE-2026-21262 (CVSS score of 8.8) – Microsoft SQL Server elevation of privilege flaw letting an authenticated user escalate to full SQL sysadmin privileges on the database server.isc.sans+1

Other interesting flaws addressed by Microsoft are:

• CVE-2026-21536 (CVSS score of 9.8) – allows remote attackers to execute arbitrary code on Microsoft Devices Pricing Program services over the network without privileges or user interaction, marking it the most severe flaw in Microsoft’s March 2026 Patch Tuesday.
• CVE-2026-26110 (CVSS score of 8.4) – enables remote code execution in Microsoft Office through malicious files processed in the Preview Pane, potentially allowing zero-click exploitation when users simply view documents.

The full list of CVEs addressed by Microsoft Patch Tuesday security updates for March 2026 is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)