March 2026 Patch Tuesday: Microsoft Fixes 77 Vulnerabilities – Windows, Office & More
Microsoft’s March 2026 Patch Tuesday addressed a total of 78 vulnerabilities across a broad range of products, including Windows, Microsoft Office, Azure, SQL Server, and .NET. While this month’s release doesn’t feature the immediate urgency of a “zero-day” exploit – February saw five such critical fixes – several patches warrant prompt attention, particularly for organizations heavily reliant on Windows systems. The updates, released on March 10, 2026, represent a routine but essential effort to bolster security against evolving threats.
Image: Shutterstock, @nwz.
Privilege Escalation and SQL Server Vulnerabilities
Two vulnerabilities disclosed publicly before the patch release demand particular scrutiny. CVE-2026-21262 affects SQL Server 2016 and later versions, allowing an attacker to elevate their privileges to system administrator level over a network. According to Rapid7’s Adam Barnett, the vulnerability’s CVSS v3 base score of 8.8, while just below “critical,” doesn’t diminish the risk. “It would be a courageous defender who shrugged and deferred the patches for this one,” Barnett stated. This highlights the potential for significant compromise if left unaddressed. The Microsoft Security Response Center (MSRC) provides detailed information on this advisory here.
The second publicly known flaw, CVE-2026-26127, impacts applications built on the .NET framework. While the immediate impact is likely limited to denial-of-service attacks – causing applications to crash – the potential for further exploitation during a service reboot exists. This vulnerability underscores the importance of promptly applying updates to maintain application stability and prevent potential security breaches.
Office Exploits and Preview Pane Risks
Microsoft Office remains a frequent target for attackers, and this Patch Tuesday is no exception. CVE-2026-26113 and CVE-2026-26110 are both remote code execution vulnerabilities that can be triggered simply by viewing a malicious message in the Preview Pane within Office applications. In other words a user doesn’t even need to open the message to be compromised, making it a particularly dangerous attack vector. This emphasizes the need for caution when handling emails from unknown or untrusted sources.
A Majority of Patches Address Privilege Escalation
Tenable’s Satnam Narang observed that a significant portion – 55% – of the vulnerabilities addressed in this Patch Tuesday relate to privilege escalation. Six of these were flagged as having a higher likelihood of exploitation, affecting core Windows components like the Graphics Component, Accessibility Infrastructure, Kernel, SMB Server, and Winlogon. These vulnerabilities, including CVE-2026-24291 (incorrect permissions in Windows Accessibility Infrastructure), CVE-2026-24294 (authentication issues in SMB), CVE-2026-24289 (memory corruption and race condition), and CVE-2026-25187 (Winlogon weakness discovered by Google Project Zero), represent substantial risks to system security. Details on these vulnerabilities can be found on the MSRC website.
AI-Driven Vulnerability Discovery
A noteworthy aspect of this Patch Tuesday is the identification of CVE-2026-21536, a critical remote code execution bug in the Microsoft Devices Pricing Program. This vulnerability was discovered by XBOW, a fully autonomous AI penetration testing agent. While Microsoft has already mitigated the issue on its finish, requiring no action from Windows users, it marks a significant milestone in the field of cybersecurity. According to Ben McCarthy, lead cyber security engineer at Immersive, this demonstrates the potential of AI to identify complex vulnerabilities without access to source code. XBOW has consistently ranked highly on the Hacker One bug bounty leaderboard, further validating its effectiveness. This development suggests that AI-assisted vulnerability research will develop into increasingly prevalent in the future.
Beyond Windows: Adobe and Firefox Updates
The security update landscape extends beyond Microsoft’s ecosystem. Adobe released updates to address 80 vulnerabilities, some of which are critical, in products like Acrobat and Adobe Commerce. Mozilla Firefox also issued a security update, version 148.0.2, resolving three high-severity CVEs. These updates highlight the importance of maintaining security across all software applications, not just the operating system. More information on Adobe’s security updates can be found here.
Windows Secure Boot Certificate Expiration – A Looming Concern
Alongside the immediate fixes of Patch Tuesday, Microsoft is also drawing attention to a longer-term security concern: the upcoming expiration of Secure Boot certificates. Starting in June 2026, these certificates – crucial for ensuring devices boot securely – will begin to expire. Devices that aren’t updated in time may be unable to boot securely, potentially leaving them vulnerable to malware and other attacks. Microsoft recommends reviewing guidance and taking action to update certificates in advance. Further details and preparation steps are available in KB5079473.
Staying Informed and Managing Updates
For a comprehensive overview of all the patches released this month, the SANS Internet Storm Center provides a detailed Patch Tuesday post. Administrators seeking ongoing information about problematic updates can consult AskWoody.com. Regularly applying security updates remains a cornerstone of a robust cybersecurity posture, and staying informed about the latest vulnerabilities and patches is crucial for protecting systems and data.