Skip to content
Tech News
← Back to articles

Microsoft Patch Tuesday, March 2026 Edition

2026-03-11 | original
read original get Windows → more articles

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tuesday.

Two of the bugs Microsoft patched today were publicly disclosed previously. CVE-2026-21262 is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions.

“This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,” Rapid7’s Adam Barnett said. “The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required. It would be a courageous defender who shrugged and deferred the patches for this one.”

The other publicly disclosed flaw is CVE-2026-26127, a vulnerability in applications running on .NET. Barnett said the immediate impact of exploitation is likely limited to denial of service by triggering a crash, with the potential for other types of attacks during a service reboot.

It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint. CVE-2026-26113 and CVE-2026-26110 are both remote code execution flaws that can be triggered just by viewing a booby-trapped message in the Preview Pane.

Satnam Narang at Tenable notes that just over half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of those, a half dozen were rated “exploitation more likely” — across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. These include:

–CVE-2026-24291: Incorrect permission assignments within the Windows Accessibility Infrastructure to reach SYSTEM (CVSS 7.8)

–CVE-2026-24294: Improper authentication in the core SMB component (CVSS 7.8)

–CVE-2026-24289: High-severity memory corruption and race condition flaw (CVSS 7.8)

–CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero (CVSS 7.8).

... continue reading

Explore topics: microsoft windows sql server rapid7 office net
Related:
I thought ChatGPT's voice mode was a gimmick - these 7 use cases changed my mind
Peaky Blinders: The Immortal Man Is a Violent Delight From Netflix
Today's NYT Mini Crossword Answers for Saturday, March 14
Home Depot just slashed the price of its bestselling 30-piece Milwaukee Wrench Set
Today's NYT Connections Hints, Answers and Help for March 14, #1007

© 2026 GoKawiil

About | Editorial Policy | Contact