Microsoft Corp. today it pushed security updates to fix at least 77 vulnerabilities in it Windows operating systems and other software. There are no pressing “zero-day” bugs this month (compared to February’s zero-day handling), but as usual some patches may require immediate attention from organizations running Windows. Here are a few snippets from this month’s Patch Tuesday.
Photo: Shutterstock, @nwz.
Two bugs that Microsoft filed today were previously publicly disclosed. CVE-2026-21262 is a vulnerability that allows an attacker to elevate his privileges SQL Server 2016 and later versions.
“This is not just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker could elevate sysadmin privileges over the network,” Rapid7’s. Adam Barnett said. “The CVSS v3 base score of 8.8 is just below the threshold for critical durability, as low-level privileges are required. It would be a brave defender who rubs and peels back the patches on this one.”
Another publicly disclosed flaw is CVE-2026-26127, an operating system vulnerability .NET. Barnett said the immediate impact of the exploit is likely to be limited to denial of service by causing a crash, which is vulnerable to other types of attacks during service restarts.
It wouldn’t be a proper Patch Tuesday without at least one highlight Microsoft Office exploitation, and this month does not disappoint. CVE-2026-26113 and CVE-2026-26110 are both code execution errors that can be detected by viewing the booby trap message in the Preview Pane.
Satnam Narang of It is usable notes that more than half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of those, a dozen are rated “highly exploitable” – across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. This includes:
-CVE-2026-24291: Incorrect permission assignments within Windows Accessibility Infrastructure to access SYSTEM (CVSS 7.8)
-CVE-2026-24294: Bad authentication in SMB core (CVSS 7.8)
-CVE-2026-24289: Extreme memory corruption and race condition bug (CVSS 7.8)
-CVE-2026-25187: A vulnerability in the Winlogon process discovered by Google Project Zero (CVSS 7.8).
Ben McCarthylead cyber security developer at Focusednoted CVE-2026-21536, a critical remote code execution vulnerability in a component called the Microsoft Device Pricing System. Microsoft has already fixed the problem in the end, and fixing it does not require any action by Windows users. But McCarthy says it’s notable as one of the first vulnerabilities identified by an AI agent and officially recognized as a specified CVE in a Windows operating system. Found by XBOWa fully autonomous AI penetration testing agent.
XBOW has consistently ranked at or near the top of the Hacker One bug bounty leaderboard over the past year. McCarthy said CVE-2026-21536 shows how AI agents can identify the 9.8-rated vulnerability without accessing the source code.
“While Microsoft has already closed and mitigated vulnerabilities, it highlights the shift to AI-driven detection of complex vulnerabilities at an increasing pace,” McCarthy said. “These developments suggest that AI-assisted vulnerability research will play a growing role in security.”
Microsoft has previously provided patches to address the nine browser vulnerabilities, which are not included in the Patch Tuesday count above. In addition, Microsoft released an important out-of-band (emergency) update on March 2 Windows Server 2022 to address the issue of renewing a certificate with passwordless authentication technology Windows Hello for Business.
Separately, Adobe updates sent to fix 80 vulnerabilities – some of them very serious – in various products, including Acrobat again Adobe Commerce. Mozilla Firefox v. 148.0.2 resolves three CVEs of high severity.
For complete details of all the patches released by Microsoft today, see the SANS Internet Storm Center’s Patch Tuesday post. For Windows business owners who wish to stay informed of any news regarding problematic updates, AskWoody.com is always worth a visit. Please feel free to leave a comment below if you encounter any issues with this month’s episodes.
