The Microsoft Patch Tuesday March 2026 release introduces security updates addressing 79 vulnerabilities, including two publicly disclosed zero-day vulnerabilities and several high-risk issues tied to remote code execution. The monthly security rollout includes fixes across multiple Microsoft products such as SQL Server, .NET, Microsoft Office, SharePoint Server, and Azure services.
Among the vulnerabilities patched in the Microsoft Patch Tuesday March 2026, three have been categorized as “Critical.” Two of these critical issues involve remote code execution, while the third is an information disclosure of vulnerability affecting Microsoft Excel. Although two zero-day vulnerabilities were publicly disclosed before the update, Microsoft reported no evidence that attackers had exploited them in real-world attacks.
Microsoft Patch Tuesday March 2026 Breakdown
The Microsoft Patch Tuesday March security updates address a wide range of vulnerabilities across multiple categories. In total, Microsoft fixed 46 elevation of privilege vulnerabilities, 18 remote code execution vulnerabilities, 10 information disclosure vulnerabilities, four denial of service vulnerabilities, four spoofing vulnerabilities, and two security feature bypass vulnerabilities.
The significant number of remote code execution flaws is particularly concerning because these types of vulnerabilities can allow attackers to run malicious code on targeted systems. As a result, applying the Microsoft Patch Tuesday March updates quickly is critical to reducing the risk posed by these security issues.
Two Zero-Day Vulnerabilities
Two zero-day vulnerabilities were publicly disclosed before patches became available. Microsoft defines a zero-day vulnerability as a flaw that becomes publicly known or actively exploited before an official fix is released.
CVE-2026-21262 – SQL Server Elevation of Privilege Vulnerability
One of the zero-day vulnerabilities fixed during Microsoft Patch Tuesday March affects SQL Server. The flaw allows attackers with authorized access to escalate privileges over a network and potentially obtain SQL administrator permissions.
Microsoft explained:
“Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.”
Security researcher Erland Sommarskog discovered the issue and previously discussed it in an article titled “Packaging Permissions in Stored Procedures.” The vulnerability carries a CVSS score of 8.8 and could allow attackers to gain SQL sysadmin privileges once logged in to a vulnerable system.
CVE-2026-26127 – .NET Denial of Service Vulnerability
The second publicly disclosed zero-day vulnerability affects Microsoft .NET. It stems from an out-of-bounds read that could allow an unauthenticated attacker to cause a denial-of-service condition remotely.
Microsoft stated:
“Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.”
The flaw was reported by an anonymous researcher. Despite being publicly disclosed, Microsoft indicated that exploitation appears unlikely.
Critical Remote Code Execution Bugs in Microsoft Office
The Microsoft Patch Tuesday March release also addresses two critical remote code execution vulnerabilities in Microsoft Office:
- CVE-2026-26110: Type confusion vulnerability
- CVE-2026-26113: Untrusted pointer dereference vulnerability
Both vulnerabilities could allow attackers to execute malicious code locally and can be triggered through the Preview Pane, meaning a user might not need to open a file for exploitation to occur. Because of the remote code execution risk, Microsoft recommends prioritizing updates for Office installations.
Another Office-related issue, CVE-2026-26109, is an “Important” vulnerability in Excel caused by an out-of-bounds read. Successful exploitation could allow attackers to execute code locally and compromise affected systems.
Excel Vulnerability Raises Data Exfiltration Concerns
One of the most notable issues patched during Microsoft Patch Tuesday March is CVE-2026-26144, a critical information disclosure vulnerability affecting Microsoft Excel with a CVSS score of 7.5.
The vulnerability stems from improper neutralization of input in Excel, potentially allowing attackers to extract sensitive information through a zero-click attack involving Microsoft Copilot.
Microsoft explained:
“An attacker who successfully exploited this vulnerability could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack.”
The flaw does not use the Preview Pane as an attack vector and currently has no known exploit code, with Microsoft assessing exploitation as unlikely.
However, security analysts from Project Overwatch warned about the potential implications. They described the issue as an unusual attack technique that leverages AI features:
“CVE-2026-26144 is unlike anything I’ve seen in 15 years of cybersecurity. This isn’t just another Office vulnerability. It’s a zero-click attack that weaponizes Copilot Agent to silently exfiltrate sensitive data from Excel spreadsheets.”
According to their analysis, the attack could manipulate Copilot into sending sensitive data outside an organization through unintended network connections.
And don’t miss our bug of the month! Each patch Tuesday we’ll be selecting our very favorite patch to highlight. This month, it CVE-2026-26144 – a Critical-rated info disclosure in Excel that uses the Copilot Agent to exfiltrate data. Neat! pic.twitter.com/2UC9cOz15c
— TrendAI Zero Day Initiative (@thezdi) March 10, 2026
TrendAI Zero Day Initiative also noted its take on the vulnerability. According to a video posted on X, the researchers stressed that “CVE-2026-26144 is a critically rated Excel info disclosure. And how do you get Excel info disclosure that is critical-rated? Well, you open an Excel doc, and then it allows Copilot to exfiltrate data out of your network. As Microsoft says, it’s a zero-click data exfiltration. Which is crazy. I count it as one click because you do have to open the doc. Preview pain is not an attack vector here, but it’s crazy. It’s really cool to see a bug that could use the AI component to do things that you don’t want to do. “
SharePoint and Azure Security Issues
The Microsoft Patch Tuesday March update also includes fixes for remote code execution vulnerabilities affecting Microsoft SharePoint Server:
- CVE-2026-26106: Improper input validation
- CVE-2026-26114: Deserialization of untrusted data
Both vulnerabilities allow authenticated attackers with Site Member permissions to execute code remotely on a SharePoint Server.
Another issue, CVE-2026-26118, affects Azure MCP Server Tools. This elevation-of-privilege vulnerability is caused by server-side request forgery (SSRF). Attackers could exploit it by sending crafted input to a Model Context Protocol server tool, potentially capturing a managed identity token and accessing resources associated with that identity.
Additional Privilege Escalation Risks
Several vulnerabilities rated “Important” were also marked as more likely to be exploited, including issues affecting:
- Windows Graphics Component
- Windows Kernel
- Windows Accessibility Infrastructure (ATBroker.exe)
- Windows SMB Server
- WinSock Ancillary Function Driver
- Winlogon
One such flaw, CVE-2026-26128, affects Windows SMB Server and allows attackers to gain SYSTEM privileges if successfully exploited.
