Microsoft March 2026 Patch Tuesday Fixes 84 Vulnerabilities Including Two Public Zero-Days and a Critical AI-Discovered Flaw
Microsoft's March 2026 security update addresses 84 vulnerabilities across Windows, Office, Azure, SQL Server, and .NET, with two publicly disclosed zero-days, eight critical-rated flaws, and a 9.8-severity remote code execution bug discovered by an autonomous AI agent.
Overview
Microsoft released its March 2026 Patch Tuesday security update on March 10, addressing 84 vulnerabilities across Windows, Microsoft Office, Azure, SQL Server, and .NET. The update includes two publicly disclosed zero-day vulnerabilities, eight critical-severity flaws, and a notable remote code execution bug discovered entirely by an autonomous AI security agent.
What We Know
The March update breaks down into 46 privilege escalation flaws, 18 remote code execution issues, 10 information disclosure vulnerabilities, four spoofing flaws, four denial-of-service bugs, and two security feature bypass issues. None of the disclosed vulnerabilities were under active exploitation at the time of release.
The two publicly known zero-days are CVE-2026-21262, an elevation of privilege vulnerability in SQL Server 2016 and later with a CVSS score of 8.8, and CVE-2026-26127, a denial-of-service flaw in .NET scoring 7.5. The SQL Server vulnerability allows an authorized attacker to escalate privileges to sysadmin over a network, though Microsoft considers it less likely to be exploited.
Among the critical-rated flaws, CVE-2026-21536 stands out with a CVSS score of 9.8, the highest in this cycle. The remote code execution vulnerability in Microsoft Devices Pricing Program was discovered by XBOW, an autonomous AI security platform, without access to source code. Microsoft described the flaw as fully mitigated, requiring no additional user action.
Two Microsoft Office remote code execution flaws, CVE-2026-26113 and CVE-2026-26110, pose particular concern because they can be triggered simply by viewing a malicious message in Outlook’s Preview Pane, requiring no further user interaction.
Six vulnerabilities were flagged as more likely to be exploited, all involving privilege escalation. These include CVE-2026-24289 and CVE-2026-26132, both Windows Kernel use-after-free flaws; CVE-2026-23668, a Windows Graphics Component race condition; CVE-2026-24294, a Windows SMB Server authentication weakness; CVE-2026-25187, a Winlogon improper link resolution flaw reported by Google Project Zero researcher James Forshaw; and CVE-2026-24291, a Windows Accessibility Infrastructure permission flaw.
Security researcher Ben McCarthy of Immersive noted that CVE-2026-24291 offers a reliable path from limited user privileges to SYSTEM-level access, providing total control and the ability to bypass endpoint detection tools.
A separate critical vulnerability, CVE-2026-26118, is a server-side request forgery in Azure Model Context Protocol server with a CVSS score of 8.8 that could enable privilege escalation over networks. Additionally, CVE-2026-26144 affects Microsoft Excel with a cross-site scripting vulnerability that could enable data exfiltration through Copilot Agent mode.
Microsoft also announced that Windows Autopatch will begin enabling hotpatch security updates by default starting May 2026, allowing certain updates to install without requiring a restart.
What We Don’t Know
While Microsoft classified CVE-2026-21262 and CVE-2026-26127 as publicly disclosed, there is ongoing debate among security researchers about whether these should formally be categorized as zero-days. The precise exploitation path for the Azure Model Context Protocol SSRF vulnerability has not been publicly detailed. It also remains unclear how broadly the XBOW AI agent’s vulnerability discovery method could scale across other Microsoft products or third-party software.