Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for 79 vulnerabilities, including two zero-day flaws. Public reporting and third-party patch reviews highlight a mix of Important and Critical issues across Microsoft’s ecosystem, including .NET (CVE-2026-26127 DoS; CVE-2026-26131 EoP), Active Directory Domain Services (CVE-2026-25177 EoP), ASP.NET Core (CVE-2026-26130 DoS), and multiple Azure components such as ACI Confidential Containers (CVE-2026-23651, CVE-2026-26124 EoP; CVE-2026-26122 information disclosure) and Azure IoT Explorer (CVE-2026-26121 spoofing; CVE-2026-23661/23662/23664 information disclosure).
Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional Critical items in the release such as Microsoft Office RCE (CVE-2026-26110, CVE-2026-26113) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled Chromium-tracked fixes (multiple CVE-2026-3536 through CVE-2026-3544 entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
SQL Server 2012 Parallel Data Warehouse support end date noted
Patch Tuesday coverage noted that SQL Server 2012 Parallel Data Warehouse would reach the end of extended support on March 31, 2026. This was highlighted as an important lifecycle milestone for organizations still running the product.
March 2026 updates include several high-severity critical issues
The March 2026 Patch Tuesday set also included notable high-severity vulnerabilities such as CVE-2026-21536 in Microsoft Devices Pricing Program and CVE-2026-26030 in Microsoft Semantic Kernel InMemoryVectorStore, along with multiple SharePoint, Office, Excel, RRAS, and Windows privilege-escalation flaws. These issues were identified as among the most severe bugs in the month's release.
Microsoft Authenticator mobile app flaw draws attention
Researchers highlighted CVE-2026-26123, an Important Microsoft Authenticator vulnerability on iOS and Android that could let a malicious app impersonate the legitimate Authenticator app by abusing a custom URL scheme handler. Commentary noted exploitation may require less user interaction than Microsoft's guidance suggested.
Researchers highlight SQL Server flaw CVE-2026-21262 as a major risk
Security coverage of the March 2026 updates singled out CVE-2026-21262, a SQL Server elevation-of-privilege vulnerability that could allow an authorized attacker to gain sysadmin privileges over the network on supported SQL Server versions. Analysts emphasized the risk posed by internet-exposed SQL Server deployments.
Microsoft discloses two publicly known flaws in March 2026 updates
The March 2026 release identified two publicly disclosed vulnerabilities: CVE-2026-21262 in SQL Server and CVE-2026-26127 in .NET. Multiple sources noted these were publicly disclosed at release time, while most reporting said there was no evidence of active exploitation.
Microsoft releases March 2026 Patch Tuesday updates
On March 10, 2026, Microsoft released its March Patch Tuesday security updates covering roughly 77-79 vulnerabilities across Windows, Office, Azure, SQL Server, SharePoint, .NET, Edge, and related products. The release included a mix of Critical and Important flaws spanning remote code execution, elevation of privilege, denial of service, information disclosure, spoofing, and security feature bypass.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Microsoft Patch Tuesday - March 2026 - Lansweeper
lansweeper.com
Open sourceZero Day Initiative - The March 2026 Security Update Review
thezdi.com
Open sourceMicrosoft Patch Tuesday March 2026 - SANS Internet Storm Center
isc.sans.edu
Open sourceMicrosoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
bleepingcomputer.com
Open sourceZero Day Initiative - The March 2026 Security Update Review
zerodayinitiative.com
Open sourceMicrosoft Patch Tuesday March 2026 - SANS Internet Storm Center
isc.sans.edu
Open sourcePatch Tuesday - March 2026
rapid7.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Issues Record Patch Tuesday With 206 Fixes and Multiple Zero-Day Risks
Microsoft released its largest Patch Tuesday update to date, fixing **206 vulnerabilities** across Windows, Office, Azure, Exchange, SharePoint, SQL Server, Visual Studio, Copilot-related offerings, and other products. Multiple reports said the release included **three publicly disclosed zero-days**, while Microsoft separately noted an earlier out-of-band fix for the actively exploited Microsoft Defender flaw `CVE-2026-41091`. Publicly disclosed issues in the June bundle included `CVE-2026-50507`, a **BitLocker** security feature bypass that could expose encrypted data with physical access and available proof-of-concept code, and `CVE-2026-45586`, a **Windows CTFMON** elevation-of-privilege flaw that could let a low-privileged local attacker gain **SYSTEM** access. JPCERT/CC also warned that Microsoft disclosed active exploitation of `CVE-2026-42897`, a spoofing flaw in **Microsoft Exchange Server**.
Jun 20, 2026
Microsoft January Patch Tuesday Fixes 114 Vulnerabilities Including Three Zero-Days
Microsoft’s January Patch Tuesday security updates addressed **114 vulnerabilities**, including **three zero-days** reported as publicly known and/or exploited. Reported issues span multiple Windows and Microsoft product components, including **Desktop Window Manager (DWM)**, legacy modem drivers, and core OS services, with a mix of **information disclosure**, **elevation of privilege (EoP)**, **security feature bypass**, and **remote code execution (RCE)** flaws. Technical highlights called out include **CVE-2023-31096** (Windows Agere Soft Modem Driver EoP), **CVE-2026-20805** (DWM information disclosure), and a **Secure Boot certificate expiration** security feature bypass (**CVE-2026-21265**). The update set also includes multiple **Office/Excel/Word RCE** vulnerabilities (e.g., **CVE-2026-20952**, **CVE-2026-20953**, **CVE-2026-20955**, **CVE-2026-20957**, **CVE-2026-20944**), Windows privilege-escalation issues (e.g., **Windows Graphics Component** and **VBS Enclave** EoP), and cloud/agent components such as **Azure Connected Machine Agent** (**CVE-2026-21224**) and **Azure Core shared client library for Python** (**CVE-2026-21226**).
Mar 21, 2026
Microsoft Fixes 137 Flaws Led by Netlogon, DNS Client, and Dynamics 365 RCEs
Microsoft released fixes for **137 vulnerabilities** across Windows, Azure, Microsoft 365, developer tools, and AI-related products, with no zero-days reported as exploited in the wild. The most urgent issues included a **wormable pre-auth remote code execution** flaw in **Windows Netlogon** (`CVE-2026-41089`), an **unauthenticated RCE** in the **Windows DNS Client** (`CVE-2026-41096`) that can be triggered through crafted DNS responses, and a **remote code execution** bug in **Microsoft Dynamics 365 on-premises** (`CVE-2026-42898`). Microsoft also patched an authenticated **SharePoint Server RCE** (`CVE-2026-40365`), multiple Microsoft Word Preview Pane RCEs, and a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence (`CVE-2026-41103`). The release was notable for its severity, with reports citing **16 to 30 critical vulnerabilities** depending on classification, and **14 flaws scoring 9.0 or higher**, including an **Azure DevOps information disclosure** issue rated `CVSS 10.0` that Microsoft said had already been fully mitigated. Elevation-of-privilege bugs made up the largest share of fixes, spanning the Windows kernel, Win32k, TCP/IP, SMB Client, Print Spooler, and other core components; two locally exploitable issues, including **Windows Print Spooler** (`CVE-2026-34342`) and **Windows Message Queueing** (`CVE-2026-33838`), were publicly disclosed alongside patches. Microsoft said its AI-driven bug-finding system **MDASH** identified 16 of the vulnerabilities, and it separately warned enterprises to complete **Secure Boot certificate** updates before June 26, 2026, while noting a BitLocker Recovery issue on some Windows Server 2025 systems with an unrecommended Group Policy setting.
May 14, 2026