Microsoft's March Patch Tuesday delivers fixes for 84 flaws, including two publicly disclosed zero-days and a critical Excel issue that could leak data through Copilot AI assistant. The update addresses eight critical-rated and 76 important-rated issues across Windows components, SQL Server, .NET, Office applications, and Azure services. Over half (55%) of the patched bugs are privilege escalation types, reflecting a focus on gaining higher system access after initial compromise.
Two publicly known zero-days received patches: CVE-2026-21262, an SQL Server elevation-of-privilege flaw with CVSS score 8.8 that grants SQLAdmin privileges to authorized attackers over networks, and CVE-2026-26127, a .NET denial-of-service vulnerability scoring 7.5 that allows unauthorized actors to crash applications remotely.
A critical information disclosure flaw in Excel (CVE-2026-26144) presents unusual risk through Microsoft's AI assistant.
"An attacker who successfully exploited this flaw could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress,"
Microsoft explained in its advisory. The cross-site scripting issue enables zero-click attacks where automated agents might transmit sensitive corporate data outside organizational boundaries without triggering alerts.
Office users face additional threats from two remote code execution flaws (CVE-2026-26110 and CVE-2026-26113) exploitable through the preview pane alone, requiring no user interaction beyond viewing malicious documents.
Privilege escalation dominates this month's patch batch with 46 such issues addressed. Six Windows components, Graphics Component, Accessibility Infrastructure, Kernel, SMB Server, Winlogon, and Hyper-V, contain bugs rated "exploitation more likely" by researchers.
The Winlogon flaw (CVE-2026-25187) particularly concerns teams for its low attack complexity and lack of user interaction requirements. Google Project Zero researcher James Forshaw discovered the issue that lets locally authenticated users with minimal privileges exploit link-following conditions to obtain SYSTEM-level access.
Azure environments face exposure from CVE-2026-26118, a server-side request forgery bug in Azure Model Context Protocol servers scoring 8.8 CVSS points. Malicious actors could submit crafted URLs to capture managed identity tokens without administrative access, then use those credentials to reach any resources authorized to the compromised identity.
Eighteen remote code execution issues include three critical flaws: two in Microsoft Office and one in Microsoft Devices Pricing Program tracked as CVE-2026-21536 with CVSS score 9.8, the highest severity this month. Artificial intelligence platform XBOW discovered the Devices Pricing Program problem that Microsoft says has been fully mitigated without requiring user action.
Ten information disclosure flaws round out major categories alongside four denial-of-service and four spoofing issues plus two security feature bypasses.
Microsoft continues expanding hotpatch capabilities for Windows Autopatch deployments starting with May 2026 updates. The company claims applying fixes without waiting for restarts can achieve 90% compliance in half the time while maintaining administrative control over update timing.
