Microsoft Corp. has rolled out a series of security updates today, addressing at least 77 vulnerabilities across its Windows operating systems and various software applications. While this month does not feature any urgent “zero-day” vulnerabilities—unlike February, which saw five such threats—certain patches warrant prompt attention from organizations utilizing Windows. Below are some key highlights from this month’s Patch Tuesday.
Key Vulnerabilities and Patches
Among the vulnerabilities patched today, two were previously disclosed to the public. The first, CVE-2026-21262, presents a significant risk as it allows an attacker to elevate their privileges on SQL Server 2016 and later versions. Adam Barnett from Rapid7 emphasized the severity of this flaw, stating, “This isn’t just any elevation of privilege vulnerability; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network.” With a CVSS v3 base score of 8.8, this vulnerability is just shy of being classified as critical, making it essential for organizations to prioritize its patching.
The second publicly disclosed flaw, CVE-2026-26127, affects applications running on .NET. Barnett noted that while the immediate impact of this vulnerability may lead to denial of service by causing a crash, it could also open the door to other attack vectors during a service reboot.
No Patch Tuesday would be complete without addressing vulnerabilities in Microsoft Office. This month, two remote code execution flaws, CVE-2026-26113 and CVE-2026-26110, can be exploited simply by viewing a malicious message in the Preview Pane.
According to Satnam Narang from Tenable, over half (55%) of this month’s Patch Tuesday CVEs are related to privilege escalation, with six of these rated as “exploitation more likely.” These include vulnerabilities across various components such as:
- CVE-2026-24291: Incorrect permission assignments within the Windows Accessibility Infrastructure (CVSS 7.8)
- CVE-2026-24294: Improper authentication in the core SMB component (CVSS 7.8)
- CVE-2026-24289: High-severity memory corruption and race condition flaw (CVSS 7.8)
- CVE-2026-25187: Winlogon process weakness identified by Google Project Zero (CVSS 7.8)
Ben McCarthy, lead cyber security engineer at Immersive, highlighted the critical remote code execution bug CVE-2026-21536, which resides in the Microsoft Devices Pricing Program. Notably, this vulnerability was identified by an AI agent named XBOW, marking one of the first instances where a CVE has been attributed to an AI-driven discovery process. McCarthy remarked, “Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed.”
In addition to the updates released today, Microsoft previously addressed nine browser vulnerabilities, which are not included in the Patch Tuesday count. Furthermore, an out-of-band update was issued on March 2 for Windows Server 2022 to rectify a certificate renewal issue related to the passwordless authentication technology, Windows Hello for Business.
On a related note, Adobe has also released updates to fix 80 vulnerabilities across various products, including Acrobat and Adobe Commerce, some of which are deemed critical. Mozilla Firefox version 148.0.2 has resolved three high-severity CVEs as well.
For those seeking a comprehensive overview of all the patches Microsoft released today, the SANS Internet Storm Center’s Patch Tuesday post serves as a valuable resource. Windows enterprise administrators are encouraged to stay informed about any potential issues with updates by visiting AskWoody.com. Should any users encounter difficulties applying this month’s patches, comments and discussions are welcomed below.
Microsoft Patch Tuesday, March 2026 Edition
Microsoft Corp. has rolled out a series of security updates today, addressing at least 77 vulnerabilities across its Windows operating systems and various software applications. While this month does not feature any urgent “zero-day” vulnerabilities—unlike February, which saw five such threats—certain patches warrant prompt attention from organizations utilizing Windows. Below are some key highlights from this month’s Patch Tuesday.
Key Vulnerabilities and Patches
Among the vulnerabilities patched today, two were previously disclosed to the public. The first, CVE-2026-21262, presents a significant risk as it allows an attacker to elevate their privileges on SQL Server 2016 and later versions. Adam Barnett from Rapid7 emphasized the severity of this flaw, stating, “This isn’t just any elevation of privilege vulnerability; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network.” With a CVSS v3 base score of 8.8, this vulnerability is just shy of being classified as critical, making it essential for organizations to prioritize its patching.
The second publicly disclosed flaw, CVE-2026-26127, affects applications running on .NET. Barnett noted that while the immediate impact of this vulnerability may lead to denial of service by causing a crash, it could also open the door to other attack vectors during a service reboot.
No Patch Tuesday would be complete without addressing vulnerabilities in Microsoft Office. This month, two remote code execution flaws, CVE-2026-26113 and CVE-2026-26110, can be exploited simply by viewing a malicious message in the Preview Pane.
According to Satnam Narang from Tenable, over half (55%) of this month’s Patch Tuesday CVEs are related to privilege escalation, with six of these rated as “exploitation more likely.” These include vulnerabilities across various components such as:
Ben McCarthy, lead cyber security engineer at Immersive, highlighted the critical remote code execution bug CVE-2026-21536, which resides in the Microsoft Devices Pricing Program. Notably, this vulnerability was identified by an AI agent named XBOW, marking one of the first instances where a CVE has been attributed to an AI-driven discovery process. McCarthy remarked, “Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed.”
In addition to the updates released today, Microsoft previously addressed nine browser vulnerabilities, which are not included in the Patch Tuesday count. Furthermore, an out-of-band update was issued on March 2 for Windows Server 2022 to rectify a certificate renewal issue related to the passwordless authentication technology, Windows Hello for Business.
On a related note, Adobe has also released updates to fix 80 vulnerabilities across various products, including Acrobat and Adobe Commerce, some of which are deemed critical. Mozilla Firefox version 148.0.2 has resolved three high-severity CVEs as well.
For those seeking a comprehensive overview of all the patches Microsoft released today, the SANS Internet Storm Center’s Patch Tuesday post serves as a valuable resource. Windows enterprise administrators are encouraged to stay informed about any potential issues with updates by visiting AskWoody.com. Should any users encounter difficulties applying this month’s patches, comments and discussions are welcomed below.