Microsoft Patches 84 Flaws in March 2026 Update

New Delhi, March 11, 2026: In its latest monthly security rollout, Microsoft has released patches for 84 vulnerabilities as part of the March 2026 “Patch Tuesday.” This update addresses a wide spectrum of security risks across the Windows ecosystem, including critical remote code execution (RCE) flaws, privilege escalation bugs, and two publicly disclosed “zero-day” vulnerabilities.

While the sheer number of patches is significant, security experts note that none of the flaws have been actively exploited in the wild yet. However, the presence of critical vulnerabilities in widely used software like Microsoft Office and SQL Server makes immediate updating essential for both enterprise environments and home users.

The Breakdown: Critical Flaws and Severity

Out of the 84 vulnerabilities addressed, eight are classified as Critical, while 76 are rated as Important. The update covers a diverse range of products, including Windows, Office, Azure, SQL Server, and the Chromium-based Edge browser.

The vulnerability types include:

• Elevation of Privilege (46 flaws): Comprising over 50% of the total patches.
• Remote Code Execution (18 flaws): Allowing attackers to take control of a system over a network.
• Information Disclosure (10 flaws): Leading to the leakage of sensitive data.
• Denial of Service (4 flaws): Capable of crashing services or systems.
• Spoofing & Security Feature Bypass (6 flaws).

Publicly Disclosed “Zero-Days”

Microsoft highlighted two vulnerabilities that were publicly known prior to the release of the patches, often referred to as zero-days. Although there is no evidence of active exploitation, their public nature increases the risk of hackers developing working exploits.

1. CVE-2026-21262 (SQL Server Elevation of Privilege): This flaw allows an authenticated attacker to gain full ‘sysadmin’ privileges on a database server. While it requires initial access, the potential for total database takeover makes it a high-priority fix for database administrators.
2. CVE-2026-26127 (.NET Denial of Service): An out-of-bounds read vulnerability that could allow an unauthenticated attacker to crash .NET-based applications remotely.

Spotlight on AI-Discovered Vulnerabilities

A landmark development in this month’s update is the inclusion of CVE-2026-21536, a critical RCE flaw in the Microsoft Devices Pricing Program with a near-perfect CVSS score of 9.8.

This vulnerability is notable because it was discovered by XBOW, an autonomous AI-powered vulnerability discovery platform. This marks one of the first instances where an AI agent has identified a high-severity flaw in a major vendor’s software, signaling a shift in how vulnerabilities will be found and patched in the future. Microsoft has confirmed that this issue has been fully mitigated on their side.

Major Risks in Microsoft Office

Office users are urged to patch immediately due to several RCE flaws (CVE-2026-26110 and CVE-2026-26113) that can be triggered through the Preview Pane. This means a user does not even need to open a malicious document to be compromised; simply viewing the file in a preview window could execute malicious code with the user’s privileges.

Recommendations for Users and Admins

To stay protected against these newly disclosed threats, users and organizations should:

• Apply Updates Immediately: Use Windows Update to download and install the March 2026 security patches.
• Prioritize Server Patching: Focus on SQL Server and SharePoint environments where the risk of privilege escalation is highest.
• Restrict Untrusted Files: Until patches are applied, consider disabling the Preview Pane in File Explorer and Outlook to mitigate Office-based RCE risks.
• Monitor Outbound Traffic: Keep an eye on unusual network activity originating from Office or SQL applications, which could indicate an attempted exploit.