Microsoft patches 83 CVEs in March 2026, two zero-days disclosed but none exploited

Microsoft fixed 83 vulnerabilities in its March 2026 Patch Tuesday. The update, released on March 11, covers Windows, Office, SQL Server, Azure, and .NET. Eight of the 83 are rated critical. Two were publicly disclosed before patches arrived, making them technically zero-days, though neither has been exploited in the wild.

CVE-2026-21536 scored the highest at CVSS 9.8. It is a remote code execution flaw in Microsoft's Devices Pricing Program. Microsoft said it has already mitigated the issue server-side. "There is no action for users of this service to take," the company stated.

Neither zero-day has been exploited. CVE-2026-21262 is an elevation of privilege flaw in SQL Server (CVSS 8.8) that lets an authenticated attacker escalate to sysadmin. CVE-2026-26127 is a denial-of-service bug in .NET 9.0 and 10.0 (CVSS 7.5) caused by an out-of-bounds read. Both were publicly known before the patch drop, but Microsoft rated both as "Exploitation Less Likely."

These bugs are more bark than bite. The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited.

— Satnam Narang, senior staff research engineer at Tenable

Two critical Office RCE flaws affect enterprise deployments. CVE-2026-26113 and CVE-2026-26110 both scored CVSS 8.4. The Windows Preview Pane is an attack vector for both, meaning a user could be compromised without opening a malicious document.

If the security update cannot be applied immediately, organizations should disable the Preview Pane in file explorers and restrict the opening of Office files from untrusted sources.

— Jack Bicer, director of vulnerability research at Action1

Three Windows Kernel elevation of privilege flaws were patched, including CVE-2026-24289 and CVE-2026-26132, both rated CVSS 7.8. Microsoft tagged both as "Exploitation More Likely." A local, authenticated attacker could exploit them to gain SYSTEM privileges. Six kernel EoP flaws have been patched in 2026 so far, according to Tenable's count.

Azure MCP Server got its own patch. CVE-2026-26118 is an elevation of privilege flaw in Azure's implementation of MCP (Model Context Protocol), an open standard introduced by Anthropic in 2024 that lets large language models connect to external data sources. An attacker could exploit the flaw by sending crafted input to a vulnerable Azure MCP Server that accepts user-provided parameters, according to Tenable's analysis.

Elevation of privilege bugs dominated the release. They accounted for 55.4% of all patched CVEs, according to Tenable. Remote code execution flaws made up about 20.5%. The rest split across denial of service, information disclosure, spoofing, and security feature bypass categories.

I don't see a lot of reasons for people to stress.

— Tyler Reguly, associate director of security R&D at Fortra

Some Azure fixes require non-standard patching. Reguly noted that bugs in Azure IoT Explorer and Azure Linux Virtual Machines sit outside the normal Windows Update channel, and organizations need solid asset inventories of cloud-related tools so administrators know where these components are deployed.

The March release is up from February's lighter 63-patch cycle. Adobe shipped 80 vulnerability fixes of its own on the same day, including high-severity flaws in Adobe Commerce. Microsoft distributed separate Edge browser updates for Chromium-related issues outside the main Patch Tuesday bundle.

Windows 10 and 11 users receive the fixes automatically through Windows Update. Administrators managing enterprise environments should prioritize the two Office Preview Pane RCEs (CVE-2026-26113, CVE-2026-26110) and the two "Exploitation More Likely" kernel EoPs (CVE-2026-24289, CVE-2026-26132). Systems running SQL Server should get the CVE-2026-21262 patch before the disclosed zero-day attracts weaponization attempts. Disabling the Preview Pane is a quick interim mitigation for the Office flaws.