Patch Tuesday:​ March 2026's Microsoft Security Updates

Published: March 10, 2026 | Category: Patch Tuesday | Author: Zecurit Security Team

Executive Summary

Microsoft's March 2026 Patch Tuesday addresses 79 security vulnerabilities, including 2 publicly disclosed zero-days and 3 Critical-severity flaws. While no vulnerabilities have been confirmed as actively exploited at time of release, the public disclosure of two zero-days (a SQL Server elevation-of-privilege bug, CVE-2026-21262, and a .NET denial-of-service flaw, CVE-2026-26127) means exploit details are already in the public domain, significantly shortening the safe patching window.

The most urgent concern this month is CVE-2026-26144, a Critical information disclosure vulnerability in Microsoft Excel that can cause Copilot Agent mode to silently exfiltrate data with no user interaction required. Organisations that have deployed Microsoft 365 Copilot should treat this as an immediate priority. Two additional Critical-rated Office remote code execution flaws (CVE-2026-26113 and CVE-2026-26110) are exploitable via the preview pane, making them prime candidates for phishing-based attacks.

Key actions for security and IT teams:

• Patch the three Critical CVEs and two zero-days within 24 hours
• Audit Microsoft 365 Copilot Agent mode exposure given the Excel data exfiltration risk
• Accelerate Secure Boot certificate rollout to meet the June 2026 expiration deadline
• Review any outstanding February 2026 zero-day remediations still in progress

This release follows February 2026's exceptionally severe Patch Tuesday, which included six actively exploited zero-days. March offers a slightly more manageable window, but demands equally swift action on its highest-severity items.

Microsoft's March 2026 Patch Tuesday has arrived, addressing 79 security vulnerabilities across Windows, Microsoft Office, SQL Server, Azure, .NET, and more. This month's release includes two publicly disclosed zero-day vulnerabilities and three Critical-severity flaws, two of which are remote code execution bugs in Microsoft Office and one is a notable information disclosure flaw in Excel with serious Copilot-related implications.

While neither zero-day has been confirmed as actively exploited in the wild at time of release, their public disclosure means exploit details are already available, making rapid patching an urgent priority for all organisations.

Note: This count covers vulnerabilities patched directly on Patch Tuesday. It excludes 9 Microsoft Edge flaws, Mariner, Payment Orchestrator Service, Azure, and Microsoft Devices Pricing Program issues fixed earlier in the month.

At a Glance

Vulnerability Types:

• Elevation of Privilege (EoP) - largest category
• Remote Code Execution (RCE)
• Information Disclosure
• Denial of Service (DoS)
• Spoofing
• Security Feature Bypass

Zero-Day Vulnerabilities: Act Now

This month's two zero-days were publicly disclosed before official patches were available. Although neither has been confirmed as exploited in active attacks, public disclosure significantly lowers the barrier for threat actors looking to weaponise the flaws.

CVE-2026-21262: SQL Server Elevation of Privilege

Microsoft has patched a publicly disclosed SQL Server elevation-of-privilege flaw that grants SQLAdmin privileges. Improper access control in SQL Server allows an authorised attacker to elevate privileges over a network. The flaw was discovered by Erland Sommarskog, a well-known SQL Server expert and Microsoft MVP.

• Type: Elevation of Privilege
• Attack Vector: Network
• Authentication Required: Yes (low-privileged user)
• Affected Products: Microsoft SQL Server (multiple versions)
• Risk: Authenticated database users could elevate to SQLAdmin level, which is a critical concern in enterprise environments where database permissions form a key security boundary.

CVE-2026-26127: .NET Denial of Service

Microsoft has patched a publicly disclosed .NET denial of service vulnerability. An out-of-bounds read in .NET allows an unauthorised attacker to deny service over a network. This flaw was attributed to an anonymous researcher.

• Type: Denial of Service
• Attack Vector: Network
• Authentication Required: No
• Affected Products: .NET (multiple supported versions)
• Risk: Unauthenticated remote attackers could disrupt availability of .NET-based applications and services.

Critical Vulnerabilities

Three vulnerabilities carry Microsoft's Critical severity rating this month.

CVE-2026-26113 and CVE-2026-26110: Microsoft Office Remote Code Execution

Both flaws affect Microsoft Office and can be exploited via the preview pane, meaning a user does not need to fully open a document for exploitation to occur. An attacker who successfully exploits either flaw could execute arbitrary code in the context of the current user.

• Type: Remote Code Execution
• Attack Vector: Malicious Office file (preview pane exploitable)
• Affected: Microsoft Office (multiple versions)
• Priority: High. This is a phishing-ready attack vector affecting all Office users.

CVE-2026-26144: Microsoft Excel Information Disclosure (Critical)

This is arguably the most novel vulnerability in this month's release. Although classified as an information disclosure flaw, it carries Critical severity due to its potential to weaponise Microsoft Copilot as a data exfiltration channel.

An attacker who successfully exploits this vulnerability could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack where sensitive data could be silently leaked without any user interaction beyond having Copilot enabled.

• Type: Information Disclosure
• Attack Vector: Zero-click when Copilot Agent mode is active
• Affected: Microsoft Office Excel with Microsoft Copilot
• Risk: Silent, automated data exfiltration with no user click required.
• Recommendation: Patch immediately; audit Copilot Agent mode deployment across your Microsoft 365 environment

Notable Vulnerabilities by Category

Elevation of Privilege

EoP flaws again represent the largest category this month, targeting high-value Windows components:

Remote Code Execution

Information Disclosure

Denial of Service

Cloud & Azure

Other Vendors: March 2026 Security Updates

March 2026 is a busy month for security updates beyond Microsoft. Security teams should also review and apply patches from the following vendors:

• Adobe: Security updates for Adobe Commerce, Illustrator, Substance 3D Painter, Acrobat Reader, and Premiere Pro. None are tagged as actively exploited.
• Cisco: Multiple product security updates released. Review Cisco's advisory portal for impacted products.
• Fortinet: Updates for FortiOS, FortiPAM, and FortiProxy across multiple severity levels.
• Google Android: The March security bulletin includes patches for multiple vulnerabilities. Security teams managing Android device fleets should prioritise deployment.

Context: 2026 Patch Tuesday Trend

March continues a heavy start to the year for Microsoft security patching:

February 2026 was one of the most critical Patch Tuesday releases in recent history, with six actively exploited zero-days covering Windows Shell, MSHTML, Microsoft Word, Desktop Window Manager, Windows Remote Desktop Services, and Windows Remote Access Connection Manager. Organisations that are still catching up on February deployments should treat March as a compounding urgency.

Ongoing: Secure Boot Certificate Renewal

March 2026 continues the deployment of updated Secure Boot certificates, which Microsoft began rolling out with February's Patch Tuesday. The original Secure Boot certificates issued in 2011 begin expiring in late June 2026. Devices that have not received the newer 2023 certificates will still start and operate normally after expiration, but will no longer be able to receive new security protections for the early boot process.

Action required: Organisations should ensure all Windows endpoints have received and successfully applied Secure Boot certificate updates from both February and March 2026 cumulative updates ahead of the June 2026 deadline.

Patching Recommendations

Priority 1: Patch Within 24 Hours

• CVE-2026-26144 (Excel / Copilot zero-click data exfiltration): Critical; silent risk for all Microsoft 365 Copilot environments
• CVE-2026-26113 and CVE-2026-26110 (Office RCE via preview pane): Critical; phishing-ready and affects all Office users
• CVE-2026-21262 (SQL Server EoP zero-day): Publicly disclosed; database environments at immediate risk

Priority 2: Patch Within 72 Hours

• CVE-2026-26114 and CVE-2026-26106 (SharePoint RCE): High-value lateral movement target
• CVE-2026-26132 (Windows Kernel EoP): Kernel-level privilege escalation
• CVE-2026-26128 (Windows SMB Server EoP): SMB remains a favoured attacker pathway
• CVE-2026-26127 (.NET DoS zero-day): Publicly disclosed; internet-facing .NET apps at risk
• CVE-2026-26112 / 26109 / 26108 / 26107 (Excel RCE): Multiple Excel code execution paths

Priority 3: Patch Within Standard Cycle (7 Days)

• All remaining Important-rated vulnerabilities across Windows, Azure, .NET, and SQL Server
• Complete Secure Boot certificate update deployment across all endpoints

Windows Cumulative Updates: March 2026

Summary

March 2026 Patch Tuesday is a significant but manageable release. The absence of actively exploited zero-days provides a slightly more comfortable patching window compared to February's crisis-level release, but the public disclosure of two zero-days and the novel Copilot exfiltration risk in CVE-2026-26144 demand urgent attention.

Security and IT teams should:

1. Immediately prioritise the three Critical CVEs and the two publicly disclosed zero-days
2. Audit Microsoft 365 Copilot Agent mode usage across the organisation given CVE-2026-26144
3. Continue Secure Boot certificate rollout to meet the June 2026 deadline
4. Review patch status from February 2026 for any outstanding zero-day remediations

Sources: BleepingComputer, Cyber Security News, Microsoft Security Response Center