Microsoft Patch Tuesday March 2026: 93 Vulnerabilities Addressed, Including Two Zero-Days
Do Son 
The March 2026 edition of Microsoft Patch Tuesday has arrived, bringing a massive wave of security updates to protect enterprise and consumer environments. This month, Microsoft has addressed a total of 93 vulnerabilities, with the release including fixes for eight critical and 75 important severity flaws.
The updates span a wide array of the Microsoft ecosystem, including the Windows Kernel, SQL Server, Hyper-V, and the Windows Graphics Component. Most notably, this release addresses two publicly disclosed zero-day vulnerabilities that were being tracked prior to the official patch.
Security teams should prioritize the two zero-day flaws addressed this month, as public disclosure often serves as a precursor to active exploitation:
- SQL Server Elevation of Privilege (CVE-2026-21262): SQL Server, Microsoft’s core relational database management system, was found to have an improper access control flaw. This vulnerability could allow an authenticated attacker to elevate their privileges within the database environment.
- .NET Denial of Service Vulnerability (CVE-2026-26127): A second zero-day was identified within the .NET framework. Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.
| Vulnerability Category | Quantity | Severities |
| Elevation of Privilege | 46 |
Critical: 3, Important: 43 |
| Remote Code Execution | 18 |
Critical: 3, Important: 15 |
| Information Disclosure | 11 |
Critical: 2, Important: 9 |
| Spoofing | 4 |
Important: 4 |
| Denial of Service (DoS) | 4 |
Important: 4 |
| Security Feature Bypass | 2 |
Important: 2 |
With 93 vulnerabilities in the queue, including critical flaws in core services like Windows Kerberos and Hyper-V, this is a heavy month for patch management teams. While Microsoft has mitigated several high-profile service-side flaws—such as those in Azure and the Devices Pricing Program—the large volume of local privilege escalation and RCE fixes for Windows and SQL Server requires immediate attention.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
