CT
CyberTimes
← Back to Threat Watch
CVE-2026-26127CVE-2026-21262CVE-2026-21536March 11, 2026 · CyberTimes Security Team

Microsoft March 2026 Patch Tuesday: 84 Flaws Fixed Including Two Zero-Days, a CVSS 9.8 RCE, and a Zero-Click Copilot Data Leak

Microsoft's March 2026 Patch Tuesday has landed with 84 security fixes covering Windows, Office, SQL Server, Azure, and .NET — including two publicly disclosed zero-days and a critical remote code exe

Severity🔴 CRITICAL
CVSS Score9.8/10
ExploitedNo
Fix StatusPatch available
No (zero-days publicly disclosed but not yet confirmed actively exploited at time of release)

Microsoft's March 2026 Patch Tuesday has landed with 84 security fixes covering Windows, Office, SQL Server, Azure, and .NET — including two publicly disclosed zero-days and a critical remote code execution vulnerability rated CVSS 9.8. The update also addresses a particularly concerning flaw in Microsoft Excel that could allow an attacker to silently exfiltrate data through Copilot's AI agent mode without any user interaction. With 55% of this month's CVEs being privilege escalation bugs — six of which are rated exploitation more likely — this is not a Patch Tuesday to delay. Every Windows user, developer, and IT team managing Microsoft infrastructure should be applying these updates today.

Affected products

  • ·Windows (all supported versions — multiple privilege escalation flaws)
  • ·Microsoft SQL Server 2016 and later (CVE-2026-21262, CVSS 8.8)
  • ·.NET framework (CVE-2026-26127, CVSS 7.5)
  • ·Microsoft Office / Excel (CVE-2026-26110, CVE-2026-26113, CVE-2026-26144)
  • ·Windows Winlogon (CVE-2026-25187, CVSS 7.8)
  • ·Azure Model Context Protocol Server (CVE-2026-26118, CVSS 8.8)
  • ·Microsoft Devices Pricing Program (CVE-2026-21536, CVSS 9.8 — already mitigated by Microsoft)
  • ·Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server

How to Fix

Step-by-step remediation

For home users and small businesses, the action is simple — open Windows Update and install everything available today. For Microsoft Office, update through File → Account → Update Options → Update Now and restart any Office applications afterward. For enterprise IT teams, prioritize in this order: first the six privilege escalation flaws rated exploitation more likely across Windows Graphics Component, Accessibility Infrastructure, Kernel, SMB Server, and Winlogon — these are the most likely to be weaponized in the near term. Second, patch SQL Server across all instances running 2016 or later to close CVE-2026-21262 before an attacker with any level of database access uses it to become sysadmin. Third, update Microsoft Office to address both the Preview Pane RCE flaws and the Excel Copilot data exfiltration vulnerability. For CVE-2026-21536 in the Microsoft Devices Pricing Program — Microsoft has already resolved this at the service level, no action needed on your part. Microsoft is also rolling out a new hotpatch update feature through Windows Autopatch and Intune that will allow security fixes to apply without requiring a system restart, targeting 90% compliance in half the usual time starting with the May 2026 update.

What happened

The two publicly disclosed zero-days are CVE-2026-26127, a denial of service vulnerability in .NET caused by an out-of-bounds read that allows an unauthenticated remote attacker to crash .NET-based applications over a network, and CVE-2026-21262, an elevation of privilege flaw in SQL Server that allows an authenticated attacker to escalate their access all the way to full sysadmin privileges on the database server. Neither has been confirmed as actively exploited at the time of release, but public disclosure means attackers are already aware of both and will be moving to weaponize them quickly. The most severe vulnerability in the entire update is CVE-2026-21536, a CVSS 9.8 remote code execution flaw in the Microsoft Devices Pricing Program that required no privileges or user interaction to exploit — however Microsoft has already fully mitigated this on their end and no action is needed from users. Notably, this is one of the first vulnerabilities officially attributed to a CVE discovered by an AI agent rather than a human researcher.

Real-World Impact

The flaw that deserves the most attention from enterprise security teams is CVE-2026-26144 in Microsoft Excel. This cross-site scripting vulnerability could allow an attacker who exploited it to cause Copilot Agent mode to silently exfiltrate data from inside the application as a zero-click attack — meaning no user action beyond opening or previewing a document is required. In corporate environments where Excel files routinely contain financial records, intellectual property, and operational data, this is a serious exposure. Organizations using AI-assisted productivity features face heightened risk because automated agents could transmit sensitive data outside corporate boundaries without triggering obvious alerts. The two Microsoft Office remote code execution flaws — CVE-2026-26110 and CVE-2026-26113 — are equally urgent because both can be triggered simply by viewing a malicious document in the Preview Pane, without the user ever fully opening the file. The Winlogon privilege escalation flaw CVE-2026-25187 allows a locally authenticated attacker with low privileges to escalate to SYSTEM level through a link-following vulnerability, requiring no user interaction and rated as low attack complexity — meaning once an attacker has any foothold on a machine, this is a straightforward path to full control.

Technical Details

CVE-2026-21262 (CVSS 8.8) exploits improper access control in SQL Server, allowing an authenticated attacker with low-level permissions to elevate to SQLAdmin sysadmin privileges over a network — the elevated privilege level makes this more dangerous than the CVSS score alone suggests. CVE-2026-26127 (CVSS 7.5) is an out-of-bounds read in .NET that enables an unauthenticated attacker to trigger denial of service against network-accessible .NET applications. CVE-2026-25187 (CVSS 7.8) in Winlogon exploits improper link resolution to allow a locally authenticated low-privilege attacker to escalate to SYSTEM with no user interaction required and low attack complexity. CVE-2026-26144 (CVSS 7.5) in Excel is classified as a cross-site scripting vulnerability from improper input neutralization that can cause Copilot Agent mode to perform unintended network egress, enabling zero-click data exfiltration. CVE-2026-26118 (CVSS 8.8) in the Azure Model Context Protocol server is a server-side request forgery bug that can allow an authorized attacker to elevate privileges and potentially expose managed identity tokens over a network. The complete March 2026 Patch Tuesday update also covers Windows Hyper-V, Windows ReFS, SharePoint, and includes fixes for 10 additional vulnerabilities in the Chromium-based Edge browser released earlier this month, bringing the total to 94 when all components are counted.

🛡️ Prevention Tips

Patch Tuesday is predictable — the second Tuesday of every month. Build it into your IT maintenance calendar as a fixed priority rather than something to get to when time allows. For organizations managing large Windows environments, use Windows Server Update Services or Microsoft Intune to deploy patches systematically and track compliance. The fact that 55% of this month's CVEs are privilege escalation bugs is a strong signal that attackers are focused on establishing footholds and then elevating access — make sure your endpoint detection tools are configured to alert on privilege escalation attempts, not just initial access. For the Office and Excel vulnerabilities specifically, consider temporarily disabling the Preview Pane in Outlook and Windows Explorer on critical systems until patches are confirmed deployed across your environment.

FAQs

Are any of these vulnerabilities being actively exploited right now?

The two zero-days — CVE-2026-26127 in .NET and CVE-2026-21262 in SQL Server — were publicly disclosed before today's patch release, meaning attackers know about them. However, neither has been confirmed as actively exploited at the time of release. That status can change quickly once patches are public and attackers can reverse-engineer the fixes, so apply updates immediately.

I use Microsoft Office at work. What should I be most worried about?

Two things. First, CVE-2026-26110 and CVE-2026-26113 are remote code execution flaws triggered just by previewing a malicious document in the Preview Pane — you don't even need to open the file. Second, CVE-2026-26144 in Excel can cause Copilot's AI agent to silently leak data from your files without any visible indication. Update Office today.

Read Next

supply chain · npm

From a Stolen Token to Full AWS Admin Access in 72 Hours — The UNC6426 nx Supply Chain Attack Explained

cohere ai · terrarium

CVE-2026-5752: Cohere AI Terrarium Sandbox Flaw Allows Root Code Execution and Container Escape — No Patch Coming

microsoft · patch tuesday

Microsoft April 2026 Patch Tuesday: SharePoint Zero-Day CVE-2026-32201 Actively Exploited + CVSS 9.8 Windows IKE RCE Among 169 Fixes

openai · supply chain attack

OpenAI Revokes macOS App Certificate After North Korea's Axios Supply Chain Attack — Update ChatGPT Before May 8

weekly roundup · cybersecurity

This Week in Cybersecurity — April 11, 2026: npm Backdoors, Adobe Zero-Day, Docker Escape & More

Last updated: March 11, 2026

← Back to all threatsAbout CyberTimes