Microsoft's 'Patch Tuesday' for March Addresses Two Zero-Day Flaws

After last month's massive security update, Microsoft's Patch Tuesday push for March seems relatively light, withtwo publicly disclosed zero-day flaws among the 83 vulnerabilities fixed in total.

The breakdown of security flaws is as follows, according to BleepingComputer: 46 elevation-of-privilege vulnerabilities, two security feature bypass vulnerabilities, 18 remote-code-execution vulnerabilities, 10 information disclosure vulnerabilities, four denial of service vulnerabilities, and four spoofing vulnerabilities. Two of the remote code execution vulnerabilities and one of the information disclosure vulnerabilities are labeled "critical."

Patch Tuesday is typically pushed at 10 am PT on the second Tuesday of every month.

Two publicly disclosed zero-days for this Patch Tuesday

Zero-day vulnerabilities are flaws that have been either actively exploited or publicly disclosed before an official fix is made available by the developer. This month, both of the zero days being patched have been publicly disclosed, but Microsoft hasn't indicated that either has been actively exploited by attackers.

The first, labeled CVE-2026-21262, is an elevation of privilege vulnerability in the SQL Server that grants SQLAdmin privileges to an authorized attacker over a network. Erland Sommarskog has been credited with discovery. The second zero-day, labeled CVE-2026-26127, is a .NET denial of service vulnerability that has been attributed to an anonymous researcher.

The March update also includes two patches for remote code execution vulnerabilities in Microsoft Office and a handful of fixes for flaws in Microsoft Excel, so users should ensure these applications are up to date as well.

View the full article