Microsoft Patches 84 Flaws on March Patch Tuesday, Including Two Public Zero Days
Microsoft on Tuesday released patches for a set of 84 new vulnerabilities affecting various software components, including two listed publicly.
Of these, eight were rated as important, and 76 were rated as important in severity. Forty-six of the patched vulnerabilities are related to privilege escalation, followed by 18 code executions, 10 information disclosures, four breaches, four denial of service, and two security feature flaws.
The fix adds to 10 vulnerabilities that have been addressed in the Chromium-based Edge browser since the February 2026 Patch update was released on Tuesday.
The two publicly disclosed dates are CVE-2026-26127 (CVSS score: 7.5), a denial of service vulnerability in .NET, and CVE-2026-21262 (CVSS score: 8.8), an elevation of privilege vulnerability in SQL Serverver.
The vulnerability with the highest CVSS scores in this month’s update is a critical remote code execution flaw in Microsoft’s Device Pricing System. CVE-2026-21536 (CVSS score: 9.8), according to Microsoft, has been completely mitigated, and no action is required from users. Artificial intelligence (AI)-powered autonomous vulnerability detection platform XBOW is credited with finding and reporting the issue.
“This month, more than half (55%) of all Patch Tuesday CVEs were growth bugs, and of those, six were rated as potential exploits across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon,” said Satnam Narang, senior staff research engineer at Tenable.
“We know that these bugs are often used by threat actors as part of a post-compromise operation, once they have entered systems by other means (social engineering, exploitation of other vulnerabilities).”
The Winlogon privilege escalation flaw (CVE-2026-25187, CVSS score: 7.8), in particular, suggests an inappropriate link resolution for SYSTEM privileges. Google Project Zero researcher James Forshaw is credited for reporting the vulnerability.
“The flaw allows a locally authenticated attacker with low privileges to exploit link tracking mode in the Winlogon system and gain SYSTEM privileges,” said Jacob Ashdown, cybersecurity engineer at Immersive. “The vulnerability doesn’t require user interaction and has a low attack complexity, making it an easy target once an attacker gains leverage.”
Another vulnerability of note is CVE-2026-26118 (CVSS score: 8.8), a server-side application bug in an Azure Model Context Protocol (MCP) server that could allow an authorized attacker to elevate privileges on the network.
“An attacker could exploit this vulnerability by sending specially crafted input to an Azure Model Context Protocol (MCP) Server tool that accepts user-supplied parameters,” Microsoft said.
“If an attacker can’t interact with an MCP-backed agent, they can send a malicious URL instead of the normal Azure resource identifier. The MCP server then sends an outgoing request to that URL and, in doing so, may include its own managed identity token. This allows an attacker to take that token without needing administrative access.”
Successful exploitation of the vulnerability could allow an attacker to gain permissions related to the identity held by the MCP Server. An attacker may use this behavior to access or perform actions on any devices that the managed identity is authorized to access.
Among the critical bugs that Microsoft has resolved is an information disclosure bug in Excel. Tracked as CVE-2026-26144 (CVSS score 7.5), it is described as a cross-write issue that occurs due to incorrect neutralization during web page generation.
The Windows maker said an attacker who exploited the flaw could cause the Copilot Agent mode to leak data as part of a zero-click attack.
“The risk of information disclosure is especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records,” said Alex Vovk, CEO and founder of Action1, in a statement.
“If exploited, attackers can silently extract confidential information from internal systems without triggering obvious alerts. Organizations using AI-assisted productivity features may face additional exposure, as automated agents can inadvertently transfer sensitive data outside corporate boundaries.”
The patches come as Microsoft said it is changing the default behavior of Windows Autopatch by enabling hotpatch security updates to help protect devices at a faster rate.
“This change in default behavior is coming to all devices eligible for Microsoft Intune and those accessing the service through the Microsoft Graph API starting with the May 2026 Windows security update,” Redmond said. “Applying security fixes without waiting for a reboot can get organizations 90% compliant in less time, while you’re still in control.”
