March 2026 Patch Tuesday: Microsoft Addresses 77 Flaws, No Zero-Days but Critical Office Bugs and AI-Discovered Vulnerability

Overview of March 2026 Patch Tuesday

Microsoft released its monthly security updates on March 10, 2026, addressing a total of 77 vulnerabilities across Windows, Office, SQL Server, and other products. Unlike February, which saw five actively exploited zero-day flaws, this month’s batch contains no zero-day vulnerabilities. However, several patches require urgent attention, including two publicly disclosed weaknesses and multiple critical remote code execution (RCE) bugs. This article breaks down the most significant updates for IT administrators and security teams.

Publicly Disclosed Flaws

Two vulnerabilities in this month’s release were already known to attackers before Patch Tuesday. CVE-2026-21262 affects SQL Server 2016 and later editions, allowing an authenticated attacker to elevate privileges to sysadmin over the network. According to Adam Barnett of Rapid7, “This isn’t just any elevation of privilege vulnerability; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network.” He highlighted that the CVSS v3 base score of 8.8 is just below critical severity because low-level privileges are required, but cautioned that “it would be a courageous defender who shrugged and deferred the patches for this one.”

The second publicly disclosed issue is CVE-2026-26127, a vulnerability in applications running on .NET. Barnett noted that immediate exploitation is likely limited to denial of service via crashes, but there is potential for other attack types during a service reboot.

Critical Office Vulnerabilities

Each Patch Tuesday typically includes at least one critical Office exploit, and March 2026 is no exception. CVE-2026-26113 and CVE-2026-26110 are both remote code execution flaws that can be triggered simply by viewing a malicious message in the Outlook Preview Pane. This underscores the importance of applying Office updates promptly, especially for organizations that rely on Outlook as a primary communication tool.

Privilege Escalation Bugs Dominate

Satnam Narang of Tenable reported that just over 55% of all CVEs addressed this month are privilege escalation vulnerabilities. Among those, six were rated “exploitation more likely” by Microsoft, spanning multiple Windows components:

• CVE-2026-24291: Incorrect permission assignments in the Windows Accessibility Infrastructure, enabling escalation to SYSTEM (CVSS 7.8)
• CVE-2026-24294: Improper authentication in the core SMB component (CVSS 7.8)
• CVE-2026-24289: High-severity memory corruption and race condition flaw (CVSS 7.8)
• CVE-2026-25187: Weakness in the Winlogon process, discovered by Google Project Zero (CVSS 7.8)

These bugs target core system processes and could allow an attacker with limited access to gain full control over a machine. Administrators should prioritize patching Windows systems that handle sensitive data or are exposed to untrusted networks.

Notable AI-Discovered Vulnerability

Ben McCarthy, lead cyber security engineer at Immersive, drew attention to CVE-2026-21536, a critical RCE bug in the Microsoft Devices Pricing Program component. Interestingly, Microsoft has already resolved the issue server-side, so no user action is required. However, McCarthy highlighted that this is one of the first vulnerabilities officially attributed to an AI agent and assigned a CVE. The bug was uncovered by XBOW, a fully autonomous AI penetration testing agent that has consistently ranked near the top in security competitions.

This development marks a milestone in cybersecurity automation, demonstrating that AI can effectively identify complex flaws without human intervention. While the immediate impact for Windows users is minimal, the incident foreshadows a future where AI-driven security testing becomes a standard practice.

Recommendations for Organizations

Given the breadth of this month’s patches, security teams should follow these steps:

1. Apply SQL Server updates (CVE-2026-21262) immediately due to the high CVSS score and network-based privilege escalation potential.
2. Install Office updates to block the Preview Pane RCE vulnerabilities (CVE-2026-26113, CVE-2026-26110).
3. Prioritize Windows kernel and privilege escalation patches (listed above) for systems with multiple users or remote access.
4. Review .NET applications for exposure to CVE-2026-26127 and apply updates accordingly.
5. Monitor for AI-generated vulnerabilities as this trend grows in the security landscape.

For a complete list of all 77 CVEs, refer to the Microsoft Security Response Center.