Microsoft shipped its March 2026 Patch Tuesday on the 10th with fixes for 79 vulnerabilities. Tenable counts 83 CVEs once you fold in advisories for adjacent products like Edge and a handful of Azure components. The breakdown by type shows where most of the work landed this month: 46 elevation of privilege flaws, 18 remote code execution, 10 information disclosure, 4 denial of service, 4 spoofing and 2 security feature bypass.
The two zero-days
Both zero-days were publicly disclosed before a patch existed, but neither was reported under active exploitation at release time.
The first is CVE-2026-21262, an elevation of privilege in SQL Server. Improper access control lets an authenticated attacker escalate over the network to SQLAdmin (sysadmin) privileges on the database. Erland Sommarskog surfaced it through his write-up “Packaging Permissions in Stored Procedures.” It carries a CVSS of 8.8.
The second is CVE-2026-26127, a denial of service in .NET. An out-of-bounds read lets an unauthenticated attacker take the service down over the network. The CVSS is 7.5 and Microsoft rates exploitation as less likely, but it affects .NET 9.0 and 10.0 on Windows, macOS and Linux. Patch the runtime wherever it runs, not just on Windows boxes.
The critical ones: Office and Excel
Among the flaws marked critical, the two that matter most for an ordinary workstation are a pair of Office RCEs, CVE-2026-26110 and CVE-2026-26113 (CVSS 8.4 each). They are exploitable through the preview pane, which means code can run without the user ever opening the file. A malicious document selected in Explorer or in a mail client is enough. Microsoft tags them as “exploitation less likely,” but the preview vector pushes them to the front of the queue.
Also on the list is CVE-2026-26144, an Excel information disclosure rooted in an XSS that can be chained with the Copilot Agent to exfiltrate data with no user interaction. It is an early look at what happens when AI agents meet classic office-app bugs: the agent becomes the exit channel for the leak.
The remaining critical fixes touch Azure infrastructure (Azure Compute Gallery, Payment Orchestrator) and components such as Compress::Raw::Zlib in Azure Linux/Mariner. Less relevant for a desktop fleet, but worth attention if you run workloads on Microsoft’s cloud.
What to do
If you manage Windows, run the full cycle promptly and prioritise machines with Office and any internet-facing SQL Server. For .NET hosts, remember the fix does not arrive through Windows Update alone: update the runtime separately on macOS and Linux. Confirm Excel and the rest of Office are on the latest build, since the preview-pane vector does not depend on the user opening anything.