Microsoft Patches Two Publicly Disclosed Zero-Days in March 2026 Patch Tuesday
Microsoft's March 2026 Patch Tuesday addresses 79 vulnerabilities, including two publicly disclosed zero-days: an SQL Server elevation of privilege bug and a .NET denial-of-service flaw.
Microsoft released its March 2026 Patch Tuesday updates, addressing 79 vulnerabilities, including two zero-days that were publicly disclosed before a patch was available. The update provides a welcome reprieve for system administrators, with a relatively manageable number of fixes compared to recent months.
The first zero-day, tracked as CVE-2026-21262, is an elevation of privilege (EoP) vulnerability in SQL Server with a CVSS score of 8.8. While Microsoft assesses the likelihood of exploitation as less likely, security experts warn against delaying patches. "It would be a courageous defender who shrugged and deferred the patches for this one," said Adam Barnett, principal software engineer at Rapid7. He noted that while exposing SQL Server directly to the internet is widely discouraged, tens of thousands of instances remain discoverable via search engines.
The second zero-day, CVE-2026-26127, is a denial-of-service flaw in .NET. Barnett warned that the impact could extend beyond simple downtime. "If a log forwarder or security agent is impacted, even for a brief period, an attacker might carry out an attack hoping to evade detection under cover of this artificial darkness," he explained. Even low-skilled attackers could cause SLA breaches or revenue loss.
Beyond the zero-days, the Patch Tuesday release includes three critical-rated vulnerabilities: two remote code execution flaws and one information disclosure bug. However, the majority of this month's CVEs are elevation of privilege vulnerabilities, highlighting a persistent trend in Microsoft's security landscape.
Ben McCarthy, lead cybersecurity engineer at Immersive, highlighted several notable EoP vulnerabilities. CVE-2026-23668 affects the Windows Graphics Component and requires no user interaction, allowing exploitation to occur entirely in the background. CVE-2026-24294 targets the Windows SMB Server, a popular target due to its near-constant activation, providing a direct path to system privileges. CVE-2026-24289 is a Windows Kernel flaw that could bypass all standard security boundaries.
Microsoft has not reported active exploitation of either zero-day in the wild, but the public disclosure increases the risk of attacks. Administrators are urged to prioritize patching, especially for internet-exposed SQL Server instances and systems running .NET applications. The updates are available through Windows Update and other standard channels.
This month's Patch Tuesday underscores the ongoing challenge of balancing feature development with security. The prevalence of EoP vulnerabilities suggests that attackers continue to focus on gaining elevated access after initial compromise. Organizations should review their patch management processes to ensure timely deployment of these critical fixes.