Microsoft Resolves 84 Flaws in March, Addresses Two Public Zero-Days
Microsoft has announced that it has successfully patched 84 security vulnerabilities in March 2026. Of these, two flaws are significant enough to be classified as publicly known zero-days.
Vulnerability Breakdown
This month’s updates included:
- Critical Vulnerabilities: 8
- Important Vulnerabilities: 76
- Types of Vulnerabilities:
- Privilege Escalation: 46
- Remote Code Execution: 18
- Information Disclosure: 10
- Spoofing: 4
- Denial-of-Service: 4
- Security Feature Bypass: 2
Publicly Known Zero-Days
Among the most critical fixes are:
- CVE-2026-26127: A denial-of-service vulnerability in .NET with a CVSS score of 7.5.
- CVE-2026-21262: An elevation of privilege vulnerability in SQL Server, rated at 8.8.
Most Significant Vulnerability
The highest priority recognition goes to CVE-2026-21536, a critical remote code execution flaw linked to the Microsoft Devices Pricing Program. This vulnerability has a CVSS score of 9.8 and is reportedly fully mitigated with no necessary user actions.
Expert Insights
Satnam Narang from Tenable noted that over half (55%) of this month’s vulnerabilities are privilege escalation bugs. These vulnerabilities are often exploited by threat actors following an initial compromise.
Highlighted Vulnerabilities
- CVE-2026-25187: A flaw in Winlogon allowing local attackers to escalate to SYSTEM privileges. It has a CVSS score of 7.8. This vulnerability gained recognition from Google Project Zero’s James Forshaw.
- CVE-2026-26118: A server-side request forgery bug in the Azure Model Context Protocol (MCP) server, rated at 8.8. It enables attackers to gain elevated privileges through crafted input submissions.
- CVE-2026-26144: An information disclosure vulnerability in Excel with a CVSS score of 7.5. It can lead to zero-click attacks that extract confidential information without alerts.
Microsoft’s Strategic Response
In addition to these updates, Microsoft plans to enhance the security of devices with Windows Autopatch. Starting May 2026, they will enable hotpatch security updates to facilitate rapid compliance and security management for organizations.
This change will allow eligible devices in Microsoft Intune to apply security fixes without needing a restart, optimizing compliance rates significantly.
