Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | March 2026 Patch Tuesday: 83 Vulnerabilities, Two Publicly Disclosed Zero-Days
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | FortiBleed: How 30,000 Fortinet Firewalls Exposed Corporate Networks Quietly
FortiBleed: How 30,000 Fortinet Firewalls Exposed Corporate Networks Quietly
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root
CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
Jun 12, 2026
SOCRadar® Cyber Intelligence Inc. | Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Jun 10, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Mar 11, 2026
5 Mins Read
Moon

March 2026 Patch Tuesday: 83 Vulnerabilities, Two Publicly Disclosed Zero-Days

Microsoft released its March 2026 Patch Tuesday security updates, resolving a total of 83 vulnerabilities across Windows and multiple Microsoft products and components.

This month’s release includes two zero-day vulnerabilities that were publicly disclosed prior to a patch being available, though neither has been confirmed as actively exploited in the wild.

Elevation of Privilege (EoP) vulnerabilities once again dominated the release, accounting for over 55% of all patches. Remote Code Execution (RCE) vulnerabilities comprised approximately 20% of the fixes, with notable coverage across SQL Server, Windows Routing and Remote Access Service (RRAS), SharePoint, and Azure services.

Zero-Day Vulnerabilities Addressed in March 2026

The March 2026 Patch Tuesday release addressed two publicly disclosed zero-day vulnerabilities. Unlike February’s unusually high six-zero-day month, neither of these flaws has been confirmed as actively exploited at time of release; though public disclosure before patching significantly increases the window of opportunity for threat actors.

CVE-2026-26127 (CVSS 7.5) – .NET Denial of Service

This denial-of-service vulnerability in .NET is caused by an out-of-bounds read. A remote, unauthenticated attacker could exploit this flaw over a network to disrupt service availability. Microsoft rated it as Exploitation Unlikely. While the network-accessible attack vector makes this theoretically accessible to a broad range of attackers, the exploitation-unlikely assessment and requirement for prior network access reduce its immediate risk. Organizations running .NET-dependent services should still prioritize patching, particularly for internet-facing applications.

Details of CVE-2026-26127 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-26127 (SOCRadar Vulnerability Intelligence)

CVE-2026-21262 (CVSS 8.8) – SQL Server Elevation of Privilege

This elevation-of-privilege vulnerability in SQL Server could allow an authenticated attacker to gain SQLAdmin-level privileges over a network. With a CVSS score of 8.8 and a network-accessible attack vector, this flaw carries a notable potential impact – but Microsoft assessed it as Exploitation Less Likely. The requirement for prior authentication limits the pool of potential attackers, though insider threats or compromised credentials remain a realistic concern. SQL Server environments with broad network exposure should treat this patch as a priority.

Details of CVE-2026-21262 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-21262 (SOCRadar Vulnerability Intelligence)

Critical Vulnerabilities in March 2026 Patch Tuesday

Microsoft addressed eight critical-severity vulnerabilities as part of its March 2026 Patch Tuesday updates:

  • CVE-2026-21536 (CVSS 9.8) – Microsoft Devices Pricing Program Remote Code Execution
  • CVE-2026-26125 (CVSS 8.6) – Payment Orchestrator Service Elevation of Privilege
  • CVE-2026-26110 (CVSS 8.4) – Microsoft Office Remote Code Execution
  • CVE-2026-26113 (CVSS 8.4) – Microsoft Office Remote Code Execution
  • CVE-2026-26148 (CVSS 8.1) – Azure Entra ID Elevation of Privilege
  • CVE-2026-26144 (CVSS 7.5) – Microsoft Excel Information Disclosure
  • CVE-2026-23651 (CVSS 6.7) – Azure Compute Gallery Elevation of Privilege
  • CVE-2026-26124 (CVSS 6.7) – Azure Compute Gallery Elevation of Privilege

The two Office RCE vulnerabilities are notable for requiring no user interaction, with the Preview Pane serving as an attack vector. The Excel information disclosure flaw is particularly concerning in Microsoft 365 Copilot environments, where it could enable zero-click data exfiltration. CVE-2026-21536 and CVE-2026-26125 have already been fully mitigated by Microsoft on the service side and require no customer action. Organizations using Azure Entra ID and Azure Container Instances confidential computing should prioritize the remaining Azure patches.

High-Risk Vulnerabilities to Watch in March 2026 Patch Tuesday

Beyond the zero-days, several vulnerabilities this month were flagged as Exploitation More Likely by Microsoft, signaling elevated risk of weaponization in the near term:

  • CVE-2026-26132 (CVSS 7.8) – Windows Kernel Elevation of Privilege
  • CVE-2026-24289 (CVSS 7.8) – Windows Kernel Elevation of Privilege
  • CVE-2026-24291 (CVSS 7.8) – Windows Accessibility Infrastructure Elevation of Privilege
  • CVE-2026-24294 (CVSS 7.8) – Windows SMB Server Elevation of Privilege
  • CVE-2026-25187 (CVSS 7.8) – Winlogon Elevation of Privilege
  • CVE-2026-23668 (CVSS 7.0) – Microsoft Graphics Component Elevation of Privilege

All six are local elevation of privilege vulnerabilities, allowing authenticated attackers to gain SYSTEM-level privileges. Kernel and SMB vulnerabilities are frequently chained with initial access exploits in multi-stage attacks, while the Winlogon and Accessibility Infrastructure flaws target components deeply integrated into Windows authentication and UI workflows. None have been confirmed as actively exploited, but their Exploitation More Likely designation warrants prompt patching across endpoints and servers.

Apply Microsoft’s Security Updates

Microsoft’s March 2026 security updates address vulnerabilities across widely used products, many of which are directly exposed to user interaction or internet-facing infrastructure. Systems affected by these flaws should be patched without delay, with priority given to:

  • Systems running SQL Server, particularly those accessible over a network
  • Servers running Active Directory Domain Services and Windows Print Spooler
  • Environments using Azure MCP Server and Azure IoT infrastructure
  • Endpoints and servers affected by the Exploitation More Likely kernel, WinSock, SMB Server, Winlogon, and ATBroker vulnerabilities
  • SharePoint and Office environments where document-based exploitation is a concern
  • Windows RRAS deployments serving as VPN or remote access gateways

See Microsoft’s March 2026 release note for the full details of patched CVEs.

Applying updates does not always eliminate risk. Some assets may remain exposed, partially patched, or newly reachable after changes in infrastructure or configuration.

SOCRadar Attack Surface Management (ASM) continuously identifies internet-facing assets, detects unpatched systems, and surfaces configuration weaknesses that attackers commonly exploit.

SOCRadar’s ASM module, Company Vulnerabilities

SOCRadar’s ASM module, Company Vulnerabilities

When ASM is integrated into routine patch workflows, your security team can identify assets missed after patch deployment, confirm whether critical fixes were applied across the external attack surface, and focus remediation efforts on assets most likely to be targeted.