Microsoft's March 2026 Patch Tuesday addresses 77 vulnerabilities across Windows and other software. While no zero-days this month, several flaws demand immediate attention. Here are the top eight issues you need to know about, including a bug discovered by an AI agent. For a deeper look at the most critical Office flaws, see item 3.
1. SQL Server Privilege Escalation (CVE-2026-21262)
This publicly disclosed vulnerability affects SQL Server 2016 and later editions. An authenticated attacker can elevate privileges to sysadmin over the network, gaining full control of the database. While rated high severity (CVSS 8.8) rather than critical, the risk is substantial. Rapid7's Adam Barnett warns that deferring patches would be unwise. Organizations should prioritize this fix, especially those using SQL Server in production environments. The flaw was already known to attackers before Microsoft's patch, increasing the urgency.
2. .NET Denial of Service Vulnerability (CVE-2026-26127)
Another publicly disclosed bug, this one targets .NET applications. The immediate impact is denial of service via a crash, but during a reboot, other attack types may become possible. While not as severe as remote code execution, the public disclosure means exploit code may be circulating. Update your .NET runtimes and applications promptly to prevent service interruptions. This flaw highlights the importance of patching even lower-severity issues when they are publicly known.
3. Critical Office Remote Code Execution via Preview Pane (CVE-2026-26113, CVE-2026-26110)
Two critical remote code execution flaws in Microsoft Office allow attackers to compromise a system just by viewing a malicious message in the Preview Pane. No user interaction beyond previewing is required, making this a dangerous vector for phishing attacks. Enterprise users who rely on Outlook's preview feature should apply the patch immediately. The vulnerabilities affect multiple Office versions. This is a classic example of a “preview pane” exploit that bypasses typical user safeguards.
4. Windows Accessibility Infrastructure Privilege Escalation (CVE-2026-24291)
An incorrect permission assignment in the Windows Accessibility module lets an attacker escalate privileges to SYSTEM level (CVSS 7.8). This flaw is rated “exploitation more likely” by Microsoft. It could be used in combination with another vulnerability to take full control of a machine. Ensure your Windows systems are updated, especially those with assistive technologies enabled. Patch quickly to prevent local privilege escalation attacks.
5. SMB Server Authentication Bypass (CVE-2026-24294)
Improper authentication in the core SMB component allows privilege escalation (CVSS 7.8). An attacker with network access could potentially gain higher privileges. This flaw is also marked as more likely to be exploited. SMB is a common attack vector in lateral movement, so this patch is critical for defending against ransomware and other network-based threats. Prioritize on servers and workstations that share files.
6. Windows Kernel Memory Corruption and Race Condition (CVE-2026-24289)
A high-severity memory corruption and race condition in the Windows kernel (CVSS 7.8) could allow an attacker to elevate privileges. This vulnerability affects many Windows versions. The complexity of exploiting a race condition may lower immediate risk, but Microsoft still rates it as likely to be exploited. Update your kernel to close this hole. This is another reminder to keep your operating system patched against privilege escalation chains.
7. Winlogon Weakness Discovered by Google Project Zero (CVE-2026-25187)
This Winlogon vulnerability (CVSS 7.8) was found by Google's Project Zero team. It could allow privilege escalation to SYSTEM. Because it was discovered by an external security team, there may be active research or exploit development. Microsoft rates it as more likely to be exploited. Apply this patch urgently, especially on domain controllers and critical servers. Winlogon handles user logon processes, making it a sensitive component.
8. AI-Discovered Bug in Microsoft Devices Pricing Program (CVE-2026-21536)
A critical remote code execution vulnerability in the Microsoft Devices Pricing Program was discovered by XBOW, an autonomous AI penetration testing agent. This marks one of the first CVEs attributed to Windows discovered by AI. Interestingly, Microsoft has already resolved the issue server-side, so no user action is required. However, it highlights the growing role of AI in vulnerability research. Ben McCarthy of Immersive called it notable for being identified by an AI agent. Keep an eye on future AI-discovered flaws.
These eight patches cover the most pressing issues from this month's Patch Tuesday. While no zero-days were disclosed, the combination of publicly known bugs, critical Office flaws, and privilege escalation vulnerabilities makes this update essential. Revisit the Office section for details on preview pane exploits. Apply all patches as soon as possible to maintain a strong security posture.