Microsoft released patches for 84 new security vulnerabilities across its products in March Patch Tuesday, including two publicly disclosed zero-days.

Eight flaws are rated Critical and 76 Important. By impact type, Microsoft fixed:

• 46 elevation of privilege
• 18 remote code execution
• 10 information disclosure
• 4 spoofing
• 4 denial of service
• 2 security feature bypass

These fixes are in addition to 10 vulnerabilities addressed in Microsoft Edge since the February 2026 Patch Tuesday release.

Publicly disclosed zero-days

• CVE-2026-26127 (CVSS 7.5): Denial-of-service in .NET
• CVE-2026-21262 (CVSS 8.8): Elevation of privilege in SQL Server

Highest-severity RCE fully mitigated

The month’s highest CVSS score is tied to CVE-2026-21536 (CVSS 9.8), a critical remote code execution flaw in the Microsoft Devices Pricing Program. Microsoft says it has been fully mitigated and requires no user action. The AI-powered autonomous vulnerability discovery platform XBOW is credited with the discovery and report.

Privilege escalation dominates

“This month, over half (55%) of all Patch Tuesday CVEs were privilege escalation bugs, and of those, six were rated exploitation more likely across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon,” said Satnam Narang, senior staff research engineer at Tenable.

“We know these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means (social engineering, exploitation of another vulnerability).”

Winlogon elevation of privilege

CVE-2026-25187 (CVSS 7.8) is a Winlogon privilege escalation that leverages improper link resolution to obtain SYSTEM privileges. Google Project Zero’s James Forshaw is credited for reporting the issue.

“The flaw allows a locally authenticated attacker with low privileges to exploit a link-following condition in the Winlogon process and escalate to SYSTEM privileges,” said Jacob Ashdown, cybersecurity engineer at Immersive. “The vulnerability requires no user interaction and has low attack complexity, making it a straightforward target once an attacker gains a foothold.”

Azure MCP SSRF could expose managed identity tokens

Another notable issue is CVE-2026-26118 (CVSS 8.8), a server-side request forgery flaw in the Azure Model Context Protocol (MCP) server that could let an authorized attacker elevate privileges over a network.

“An attacker could exploit this issue by sending specially crafted input to an Azure Model Context Protocol (MCP) Server tool that accepts user‑provided parameters,” Microsoft said.

“If the attacker can interact with the MCP‑backed agent, they can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, may include its managed identity token. This allows the attacker to capture that token without requiring administrative access.”

Successful exploitation could let an attacker obtain the permissions associated with the MCP Server’s managed identity and access any resources that identity is authorized to reach.

Excel information disclosure and Copilot risk

Among the Critical-severity bugs is CVE-2026-26144 (CVSS 7.5), an information disclosure flaw in Excel described as a cross-site scripting issue due to improper input neutralization during web page generation. Microsoft warns an attacker could potentially cause Copilot Agent mode to exfiltrate data as part of a zero-click attack.

“Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records,” said Alex Vovk, CEO and co-founder of Action1.

“If exploited, attackers could silently extract confidential information from internal systems without triggering obvious alerts. Organizations using AI-assisted productivity features may face increased exposure, as automated agents could unintentionally transmit sensitive data outside corporate boundaries.”

Windows Autopatch changes

Microsoft also announced a change to Windows Autopatch, enabling hotpatch security updates by default to secure devices faster.

“This change in default behavior comes to all eligible devices in Microsoft Intune and those accessing the service via Microsoft Graph API starting with the May 2026 Windows security update,” Redmond said. “Applying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, while you remain in control.”

Reference: View article