Microsoft Patches 79 Vulnerabilities Including Two Publicly Disclosed Zero-Days

Microsoft released its monthly security updates Tuesday, patching 79 vulnerabilities across Windows, Office, Azure, SQL Server and .NET, including two publicly disclosed zero-days that security researchers had already exposed before fixes were available.

The two zero-days, CVE-2026-21262 and CVE-2026-26127, carry no confirmed active exploitation in the wild. Microsoft described the SQL Server flaw, CVE-2026-21262, as follows: "Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network." The vulnerability, which can grant an attacker SQLAdmin privileges, was credited to researcher Erland Sommarskog, who had originally disclosed the underlying issue in a technical article titled "Packaging Permissions in Stored Procedures." The second zero-day, CVE-2026-26127, is an out-of-bounds read in .NET that Microsoft said allows "an unauthorized attacker to deny service over a network." An anonymous researcher was credited with the discovery.

Despite the absence of active attacks, the public disclosure of both flaws means exploit details are already circulating. "While neither zero-day has been confirmed as actively exploited in the wild at time of release, their public disclosure means exploit details are already available, making rapid patching an urgent priority for all organisations," security analysis firm Zecurit noted.

Among the most urgent items in the update are two Critical-rated remote code execution vulnerabilities in Microsoft Office, CVE-2026-26110 and CVE-2026-26113, both scoring 8.4 on the CVSS scale according to Tenable Research. A local, unauthenticated attacker could exploit either flaw through the Office preview pane to execute code on a targeted system. Security professionals should treat an Office update as an immediate priority precisely because the preview pane is a passive attack vector requiring no file-opening action from a user.

Three Windows Kernel elevation-of-privilege vulnerabilities, CVE-2026-24287, CVE-2026-24289, and CVE-2026-26132, each scored 7.8 on the CVSS scale and were rated Important. Microsoft assessed two of them, CVE-2026-24289 and CVE-2026-26132, as "Exploitation More Likely." Tenable noted that those three flaws bring the total number of Windows Kernel elevation-of-privilege vulnerabilities patched so far in 2026 to six. Zecurit also flagged a notable information disclosure flaw in Microsoft Excel with what it described as "serious Copilot-related implications," though a specific CVE identifier for that item was not included in available advisory summaries at publication time.

The 79-vulnerability figure is the most widely cited total, reported by BleepingComputer, Impresscomputers, and Zecurit. Tenable's independent tally put the count at 83 CVEs, a difference the firm attributed to its inclusion of additional items, among them a GitHub-assigned CVE it ultimately omitted from its internal counts. Zecurit noted its 79-count excluded nine Microsoft Edge flaws and several fixes released earlier in March for Mariner, Azure, and the Payment Orchestrator Service.

By category, the 79-vulnerability release included 46 elevation-of-privilege flaws, 18 remote code execution bugs, 10 information disclosure vulnerabilities, four denial-of-service issues, four spoofing vulnerabilities, and two security feature bypass flaws.

March's patch cycle extended well beyond Microsoft. Adobe, Cisco, Fortinet, SAP, and Google all released security updates this month, with Google's Android update addressing a separate zero-day vulnerability in that platform.

Tenable advised organizations to patch systems promptly and "regularly scan your environment to identify those systems yet to be patched." For businesses dependent on Microsoft infrastructure, Roland Parker of Impress IT Solutions wrote that "timely patching plays a critical role in maintaining cybersecurity and preventing potential attacks" — a straightforward principle that carries added weight when exploit code for two vulnerabilities is already in the public domain.