If February 2026 was the sprint, March is a marathon of essential infrastructure updates.
Microsoft’s third Patch Tuesday of 2026 has arrived, addressing 84 vulnerabilities in total. While the total count is typical, the release demands close attention: it contains two publicly disclosed zero-day vulnerabilities and eight critical flaws affecting a wide range of enterprise products, including SQL Server, Office, and Azure components.
Here is the breakdown of what you need to know, what to patch first, and what might break.
The March 2026 Patch Day overview
Executive Summary
- Release Date: March 10, 2026
- Total Vulnerabilities: 84
- Critical Vulnerabilities: 8
- Zero-Days (Publicly Disclosed): 2 (SQL Server, .NET)
- Key Action Item: Administrators must prioritize database and application servers due to the SQL Server elevation of privilege flaw and the .NET denial of service vulnerability. Simultaneously, ensure Office updates are deployed to workstations to prevent potential zero-click remote code execution via the Preview Pane.
Important Patches
- CVE-2026-21262 — Microsoft SQL Server Elevation of Privilege Vulnerability
- CVE-2026-26127 — .NET Denial of Service Vulnerability
- CVE-2026-21536 — Microsoft Devices Pricing Program Remote Code Execution Vulnerability
- CVE-2026-26110 — Microsoft Office Remote Code Execution Vulnerability
- CVE-2026-25187 — Windows Winlogon Elevation of Privilege Vulnerability
Cumulative Updates
| Product, Version | KB Article | Notes |
| Windows 11, Version 24H2 / 25H2 | KB5079473 | Security updates and non-security changes. Adds built-in Sysmon, Emoji 16.0, and prepares infrastructure for upcoming Secure Boot certificate updates. |
| Windows 11, Version 26H1 | KB5079466 | Security updates. Improves how Windows Defender Application Control (WDAC) handles COM objects allowlisting policies. |
| Windows 10, Version 22H2 | KB5078885 | Security updates. Includes a GPU stability fix and Secure Boot updates. |
Deep Dive: The Critical Vulnerabilities
Microsoft confirmed two publicly disclosed zero-day vulnerabilities are fixed this month. Furthermore, Microsoft fixed several critical remote code execution (RCE) and elevation of privilege (EoP) flaws.
Attackers may exploit the issues on systems that have not been patched to bypass protections, elevate privileges, or execute malicious payloads remotely.
Here is the critical overview:
CVE-2026-21262 (Microsoft SQL Server Elevation of Privilege)
This publicly disclosed zero-day allows an authorized attacker to elevate privileges over a network. Due to improper access control, a logged-in user can quietly elevate to become a full database administrator (sysadmin). With that level of control, they can read, modify, or delete data without user interaction.
CVE-2026-26127 (.NET Denial of Service)
The second publicly disclosed zero-day is an out-of-bounds read flaw in the .NET platform (versions 9.0 and 10.0). It allows an unauthenticated remote attacker to crash .NET applications over the network, resulting in a denial of service for any app running on the affected runtime libraries.
CVE-2026-21536 (Microsoft Devices Pricing Program Remote Code Execution)
Scoring a critical 9.8 out of 10 on the CVSS scale, this is the most severe flaw of the month. It allows remote attackers to execute arbitrary code over the network without privileges or user interaction. Notably, this flaw was discovered by an autonomous AI penetration testing agent. Microsoft notes that the vulnerability has been fully mitigated on their end, requiring no direct action from users.
CVE-2026-26110 & CVE-2026-26113 (Microsoft Office Remote Code Execution)
These type confusion and untrusted pointer dereference flaws in Microsoft Office enable remote code execution when malicious files are processed. They are particularly dangerous because they can potentially allow zero-click exploitation if a user simply views a booby-trapped document in the Outlook Preview Pane.
CVE-2026-25187 (Windows Winlogon Elevation of Privilege)
Discovered by Google Project Zero, this vulnerability leverages improper link resolution in the Winlogon process. A locally authenticated attacker with low privileges could exploit a link-following condition to effortlessly escalate to SYSTEM privileges.
Significant Changes in the March 2026 updates
- Sysmon is now built-in: Previously a manual download from Sysinternals, Sysmon is now included as a native component in Windows 11 for better security auditing and monitoring of malicious activity.
- Secure Boot certificate preparation: Windows systems are receiving infrastructure updates to prepare for the upcoming expiration of Secure Boot certificates, which will begin rotating in June 2026.
- Quick Machine Recovery (QMR) expansion: QMR is now turned on automatically on more hardware. This feature allows administrators to revert endpoints to a working state if a disastrous third-party update takes down the system.
- RSAT on Arm64: Remote Server Administration Tools are finally supported on Windows 11 Arm64 devices, allowing administrators to manage Windows Server environments directly from Arm-powered PCs.
First Steps: Your Patch Tuesday Strategy
- Prioritize the zero-days: Map your exposure and prioritize the two zero-day vulnerabilities, focusing heavily on SQL Server environments and .NET application servers.
- Update Office installations: Deploy Microsoft Office updates to all workstations immediately to mitigate the risk of zero-click remote code execution via the Preview Pane.
- Prepare for Secure Boot changes: Ensure your enterprise environment allows the new Secure Boot allowed Key Exchange Key (KEK) updates to install properly to avoid boot issues in the coming months.