Microsoft’s March 2026 Patch Tuesday includes security updates for 79 vulnerabilities, including two publicly disclosed zero-day flaws. Three vulnerabilities are classified as critical, two involving remote code execution and one tied to information disclosure.
Breakdown of Vulnerabilities
- 46 Elevation of Privilege vulnerabilities
- 18 Remote Code Execution vulnerabilities
- 10 Information Disclosure vulnerabilities
- 4 Denial of Service vulnerabilities
- 4 Spoofing vulnerabilities
- 2 Security Feature Bypass vulnerabilities
These totals do not include nine Microsoft Edge vulnerabilities or issues in Mariner, Azure, Payment Orchestrator Service, and Microsoft Devices Pricing Program that were patched earlier in the month. Non-security updates released alongside this cycle include Windows 11 KB5079473 and KB5078883, as well as the Windows 10 KB5078885 Extended Security Update.
Zero-Day Vulnerabilities
This month’s Patch Tuesday addresses two publicly disclosed zero-day vulnerabilities. At the time of release, neither was reported as actively exploited.
CVE-2026-21262 | SQL Server Elevation of Privilege Vulnerability
This vulnerability allows an authorized attacker to elevate privileges to SQLAdmin due to improper access control. Exploitation can occur over a network and may enable attackers to gain higher-level administrative permissions within SQL Server environments. The flaw was discovered by Erland Sommarskog.
CVE-2026-26127 | .NET Denial of Service Vulnerability
This vulnerability stems from an out-of-bounds read condition that allows an unauthenticated attacker to trigger denial of service over a network. The vulnerability was reported by an anonymous researcher.
Other Critical Vulnerabilities
Microsoft also addressed two remote code execution vulnerabilities in Microsoft Office (CVE-2026-26110 and CVE-2026-26113). Both flaws can be triggered through the preview pane, meaning users may be exposed without fully opening a malicious document. These issues increase the urgency of applying Office updates.
Adobe and Other Vendor Updates
Several major vendors released security updates alongside Microsoft’s March patches:
- Adobe issued updates for Commerce, Illustrator, Substance 3D Painter, Acrobat Reader, Premiere Pro, and other products. None of the vulnerabilities were reported as exploited.
- Cisco released patches across multiple networking and collaboration products.
- Fortinet issued updates for FortiOS, FortiPAM, and FortiProxy.
- Google’s March Android security bulletin fixed an actively exploited zero-day vulnerability affecting a Qualcomm display component.
- HPE released updates addressing multiple vulnerabilities in Aruba Networking AOS-CX.
- SAP issued March security updates for several products, including two critical vulnerabilities.
Recommendations for Users and Administrators
Organizations should prioritize patching Microsoft SQL Server and Microsoft Office environments, particularly where preview pane exploitation or elevated database privileges could be leveraged in attack chains. Systems using Microsoft Copilot integrations should also be reviewed due to the potential for unintended data disclosure through Excel vulnerabilities.
Security teams should continue monitoring vendor advisories from Cisco, Fortinet, Google, and SAP, especially where infrastructure or networking products intersect with enterprise identity and application environments.
Full technical details and patch links are available in Microsoft’s Security Update Guide.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Netizen Blog and News 
Leave a comment