Microsoft released its March 2026 Patch Tuesday security updates, fixing over 70 vulnerabilities across its products, including two publicly disclosed flaws. Microsoft said neither flaw has been observed being actively exploited in attacks.
One of the issues (CVE-2026-21262) affects Microsoft SQL Server and allows an elevation of privilege. The vulnerability stems from improper access control that could enable an authorized attacker to escalate privileges to SQLAdmin over a network.
The second publicly disclosed vulnerability (CVE-2026-26127) impacts .NET. The flaw is a denial-of-service issue caused by an out-of-bounds read that could allow an unauthenticated attacker to crash affected services remotely.
Microsoft also addressed two remote code execution (RCE) vulnerabilities in Microsoft Office (CVE-2026-26110 and CVE-2026-26113) that can be triggered through the preview pane.
In addition, the company patched a number of high-risk flaws impacting MS Exel, GDI, RRAS, and other products.