Microsoft Patch Tuesday March 2026 Fixes 79 Vulnerabilities Including Two Public Zero-Days

Microsoft has released its March 2026 Patch Tuesday security updates addressing 79 vulnerabilities across its software ecosystem, including two publicly disclosed zero-day vulnerabilities. The update cycle also includes three critical vulnerabilities, two of which allow remote code execution and one that exposes sensitive information.

Patch Tuesday updates are part of Microsoft's monthly security update program designed to address vulnerabilities affecting Windows, enterprise services, and productivity applications used by organizations worldwide.

Breakdown of Vulnerabilities Fixed

The March 2026 update addresses vulnerabilities across multiple security categories. According to Microsoft, the patched flaws include:

• 46 Elevation of Privilege vulnerabilities
• 2 Security Feature Bypass vulnerabilities
• 18 Remote Code Execution vulnerabilities
• 10 Information Disclosure vulnerabilities
• 4 Denial-of-Service vulnerabilities
• 4 Spoofing vulnerabilities

These figures include only vulnerabilities addressed in Microsoft’s Patch Tuesday release and do not include additional flaws fixed earlier in the month for Microsoft Edge, Azure services, or other related platforms.

Two Publicly Disclosed Zero-Day Vulnerabilities

Among the vulnerabilities patched this month are two zero-day flaws that were publicly disclosed before patches became available. However, Microsoft stated that neither vulnerability is known to have been actively exploited in real-world attacks.

Microsoft classifies a vulnerability as a zero-day when it is publicly known or actively exploited before a security fix becomes available.

The first zero-day, tracked as CVE-2026-21262, affects SQL Server. The flaw involves improper access control that could allow an authorized attacker to elevate privileges over a network and gain SQLAdmin permissions. The vulnerability was discovered by security researcher Erland Sommarskog.

The second zero-day, CVE-2026-26127, impacts the .NET framework. It involves an out-of-bounds read vulnerability that could allow an attacker to trigger a denial-of-service condition through network interaction. The flaw was reported by an anonymous researcher.

Critical Remote Code Execution Flaws in Microsoft Office

Microsoft also addressed two remote code execution vulnerabilities affecting Microsoft Office, identified as CVE-2026-26110 and CVE-2026-26113. These flaws can be exploited via the preview pane when malicious documents are opened or previewed within the application.

Because exploitation could occur without fully opening the document, Microsoft recommends that organizations prioritize patching Office environments to mitigate potential risks.

Excel Vulnerability Linked to Copilot Data Exposure

One vulnerability drawing particular attention this month is CVE-2026-26144, an information disclosure flaw affecting Microsoft Excel. Researchers warn that the vulnerability could potentially be exploited to exfiltrate sensitive data through Microsoft Copilot’s Agent mode.

According to Microsoft, successful exploitation could enable attackers to trigger unintended network communication that leaks sensitive information without requiring user interaction, effectively enabling a zero-click information disclosure scenario.

Additional Security Updates from Other Vendors

Alongside Microsoft’s Patch Tuesday updates, several other major technology vendors also released security advisories and patches during March 2026.

Adobe issued updates addressing vulnerabilities in multiple products including Commerce, Illustrator, Substance 3D Painter, Acrobat Reader, and Premiere Pro. None of the reported flaws were known to be exploited in the wild.

Cisco released patches affecting various networking products, while Fortinet issued updates for FortiOS, FortiPAM, and FortiProxy platforms.

Google’s March Android security bulletin addressed multiple vulnerabilities, including an actively exploited zero-day affecting a Qualcomm display component.

Other updates were released by Hewlett Packard Enterprise for Aruba Networking AOS-CX and by SAP for multiple enterprise platforms, including fixes for two critical vulnerabilities.

Organizations Urged to Apply Updates Promptly

Security experts advise organizations to deploy the latest patches as soon as possible, particularly for vulnerabilities affecting widely deployed enterprise software such as Microsoft Office, SQL Server, and Windows systems.

Regular patch management remains one of the most effective defenses against cyberattacks, as many threat actors quickly attempt to exploit newly disclosed vulnerabilities once technical details become publicly available.