Microsoft released its March 2026 Patch Tuesday updates on March 10, fixing 83 CVEs across Windows, Office, SQL Server, Azure, and .NET. None are actively exploited, but the release carries real weight: two publicly disclosed zero-days, a critical Excel flaw that enables zero-click data exfiltration through Microsoft 365 Copilot, and Office remote code execution bugs that fire through the Preview Pane before a file is even opened.
March 2026 comes in larger than February, which was a comparatively light 63-patch cycle. The jump in volume alone is not alarming, but the composition of this month's release demands careful review. The presence of two publicly disclosed flaws, several "Exploitation More Likely" designations across foundational Windows components, and a zero-click exfiltration scenario tied to Microsoft 365 Copilot means this update touches attack surfaces that range from on-premises SQL servers to cloud-assisted productivity workflows. Security researchers from Tenable, Action1, Fortra, and SOCRadar have all weighed in, and the consensus is the same: patch promptly and prioritize by exposure.
Release Overview and Vulnerability Breakdown
Of the 83 Microsoft CVEs addressed, eight are rated Critical and 75 are rated Important. Zero are rated Moderate or Low. That severity distribution reflects a deliberate shift in how Microsoft has been categorizing vulnerabilities in recent cycles — fewer ambiguous middle-ground ratings, more binary critical-or-important assignments. Tenable's count also excludes one CVE, CVE-2026-26030, which was assigned by GitHub rather than Microsoft directly.
By vulnerability type, Elevation of Privilege (EoP) flaws dominate at 55.4% of the total, according to Tenable's research team. Remote Code Execution (RCE) vulnerabilities account for approximately 20.5%. The remainder covers denial of service, information disclosure, and spoofing. The heavy skew toward EoP is significant from an attacker tradecraft perspective: privilege escalation is not typically a first-stage attack, it is the second and third stage. Attackers chain EoP bugs with initial access or lateral movement techniques to achieve persistence and SYSTEM-level control.
| Vulnerability Type | Share of Patches |
|---|---|
| Elevation of Privilege (EoP) | 55.4% |
| Remote Code Execution (RCE) | ~20.5% |
| Denial of Service, Information Disclosure, Spoofing | Remainder |
In addition to the 83 Microsoft CVEs, the update bundles 10 republished non-Microsoft CVEs. These include a flaw in the Microsoft Semantic Kernel Python SDK and nine issues in Microsoft Edge, which is based on the Chromium engine. Microsoft distributed separate Edge browser updates for the Chromium-related issues outside the main Patch Tuesday bundle. For enterprise teams, these non-Microsoft CVEs represent a secondary priority behind the higher-risk first-party fixes.
The Two Publicly Disclosed Zero-Days
Two vulnerabilities in this release were publicly disclosed before Microsoft had patches available, technically qualifying them as zero-days. Neither has been confirmed as actively exploited in the wild, but public disclosure before a patch significantly compresses the window between researcher knowledge and attacker weaponization.
CVE-2026-21262 — SQL Server Elevation of Privilege (CVSS 8.8)
CVE-2026-21262 is an improper access control flaw in Microsoft SQL Server. An authenticated attacker can exploit it over a network to escalate privileges to SQL sysadmin level. It received a CVSSv3 score of 8.8 and is rated Important. Two additional EoP flaws in SQL Server, CVE-2026-26115 and CVE-2026-26116, were patched in the same cycle, both also scoring 8.8 and both deemed "Exploitation Less Likely." A successful exploit of any one of these three flaws would hand an attacker sysadmin-level SQL privileges, effectively full control over the database instance and all its data.
Satnam Narang, Senior Staff Research Engineer at Tenable, noted that the denial-of-service issue requires prior authorization to exploit and is rated unlikely to be weaponized, while the privilege escalation flaw similarly carries a low exploitability assessment. Narang's read reflects Microsoft's internal ratings, not the compounded risk introduced by public disclosure timing.
Narang's assessment reflects Microsoft's internal exploitability rating — a measure of how technically difficult it is to weaponize the flaw. What it does not measure is the disclosure timeline risk. When a CVE is publicly known before a patch exists, the equation changes. Researchers and threat actors both have the same starting point: a known vulnerability with no available fix. Proof-of-concept code typically emerges within days of public disclosure events, not weeks.
SQL Server instances are frequently network-accessible across internal segments, making lateral movement scenarios realistic once sysadmin is achieved. xp_cmdshell, linked server abuse, and direct data access all become available. The "exploitation less likely" label applies to spontaneous exploitation without advance knowledge — not to targeted attacks by actors who have been watching the disclosure.
CVE-2026-26127 — .NET Denial of Service (CVSS 7.5)
CVE-2026-26127 is an out-of-bounds read vulnerability affecting .NET 9.0 and 10.0 on Windows, macOS, and Linux. It enables a network-based denial of service without requiring authentication. It scored 7.5 and is rated Important. Microsoft assessed exploitation as unlikely, and unlike the SQL Server flaw, no privilege gain is possible here — the impact is service disruption only. That said, .NET's cross-platform reach means the affected surface spans well beyond Windows-only environments.
CVE-2026-26127 affects .NET 9.0 and 10.0 on Windows, macOS, and Linux. Organizations running .NET on non-Windows infrastructure should confirm whether their deployment pipelines pull patches from Microsoft's NuGet feeds or require manual update procedures on Linux and macOS hosts.
All Eight Critical CVEs
Microsoft designated eight vulnerabilities as Critical in this release. The full list, with CVSS scores and product context:
| CVE | CVSS | Product | Type |
|---|---|---|---|
CVE-2026-21536 | 9.8 | Microsoft Devices Pricing Program | Remote Code Execution |
CVE-2026-26125 | 8.6 | Payment Orchestrator Service | Elevation of Privilege |
CVE-2026-26110 | 8.4 | Microsoft Office | Remote Code Execution |
CVE-2026-26113 | 8.4 | Microsoft Office | Remote Code Execution |
CVE-2026-26148 | 8.1 | Azure Entra ID | Elevation of Privilege |
CVE-2026-26144 | 7.5 | Microsoft Excel | Information Disclosure |
CVE-2026-23651 | 6.7 | Azure Compute Gallery | Elevation of Privilege |
CVE-2026-26124 | 6.7 | Azure Compute Gallery | Elevation of Privilege |
Devices Pricing
Copilot Exfil
SQL Server (0-day)
Entra ID EoP
Office Preview RCE
CVE-2026-21536 — The Highest Score at 9.8
CVE-2026-21536 is the top-scoring vulnerability in this release. It is a remote code execution flaw in Microsoft's Devices Pricing Program with a CVSS score of 9.8. Despite that number, this one requires no customer action. Microsoft has already applied a server-side mitigation, and the company stated publicly: "There is no action for users of this service to take." The flaw is notable for its score, not its urgency, and serves as a reminder that CVSS alone does not determine operational priority.
CVE-2026-26110 and CVE-2026-26113 — Office RCE via Preview Pane
These two Critical Office RCE vulnerabilities are where security researchers are concentrating attention. Both allow code execution without a user needing to fully open a document. The Preview Pane is listed as an attack vector for both flaws, meaning a user browsing to a malicious file in Windows Explorer or Outlook can trigger exploitation before the file is opened. CVE-2026-26110 is a type confusion flaw resulting in improper memory handling when Office accesses a resource using an incompatible data type. CVE-2026-26113 is an untrusted pointer dereference.
Jack Bicer, Director of Vulnerability Research at Action1, observed that when document preview alone is enough to trigger code execution, attackers gain direct entry into the system without requiring any further user action.
The Preview Pane attack vector lowers the exploitation bar considerably. Office documents are among the highest-volume file types exchanged across organizations, shared through email, collaboration platforms, and file servers simultaneously. One malicious document reaching the wrong inbox, combined with a Preview Pane interaction, could trigger full code execution without the recipient ever intentionally opening the file.
If the March security update cannot be applied immediately, disable the Preview Pane in Windows Explorer and Outlook, and restrict the opening of Office files from untrusted sources. Implement email filtering, attachment scanning, and endpoint protection monitoring to reduce the risk of malicious document delivery. Source: Action1 advisory, March 2026.
Six Flaws Flagged as Exploitation More Likely
Microsoft's Exploitability Index assigned "Exploitation More Likely" designations to six vulnerabilities in this release. These flaws do not have confirmed exploitation at time of release, but the designation signals that Microsoft's internal analysis determined practical exploit development is realistic in the near term. All six are local EoP vulnerabilities affecting core Windows components:
- Windows Graphics Component — CVE-2026-23668 (CVSS 7.0)
- Windows Accessibility Infrastructure (ATBroker)
- Windows Kernel — CVE-2026-24289 and CVE-2026-26132 (CVSS 7.8 each)
- Windows SMB Server
- Winlogon
The Kernel flaws deserve particular focus. CVE-2026-26132 and CVE-2026-24289 both allow a local, authenticated attacker to gain SYSTEM privileges. Tenable noted that including these two, six EoP vulnerabilities affecting the Windows Kernel have now been patched in 2026 alone. Kernel and SMB vulnerabilities are standard fixtures in multi-stage attack chains: an attacker achieves initial access through phishing or a web exploit, then uses a kernel EoP to reach SYSTEM before establishing persistence. Winlogon and Accessibility Infrastructure flaws follow the same pattern, targeting components deeply embedded in Windows authentication and UI workflows.
Tyler Reguly, Associate Director of Security R&D at Fortra, recommended that security leaders prioritize maintaining accurate asset inventories covering cloud-related systems and tools. Reguly's position: knowing what you have and where it lives is the foundation that empowers both sysadmin and security teams to respond quickly, particularly in months where the overall release is lighter.
Six Kernel EoPs in Three Months: What the Pattern Signals
The count is worth pausing on. Six Windows Kernel elevation of privilege vulnerabilities patched in a single quarter is not routine noise. It suggests sustained researcher and attacker attention on the kernel as an exploitation target, and raises a practical question for security teams: how long does kernel patching take in your environment, and are those timelines appropriate given the volume of findings?
Kernel EoPs occupy a specific role in attack chains. They are rarely first-stage vulnerabilities. An attacker needs some form of foothold first — a phishing success, a web exploit, an insider error — and then reaches for a kernel flaw to break out of user-mode constraints and achieve SYSTEM. The implication is that endpoint detection at the initial access stage is doing significant work in preventing kernel EoP exploitation from mattering. Organizations with strong endpoint telemetry and rapid alert response will naturally reduce the risk window that these flaws represent. Those without it are relying on patch velocity alone. For a technical look at how attackers use Windows kernel internals to bypass EDR and escalate to SYSTEM, the BYOVD technique remains the canonical illustration of this attack surface in practice.
The six-in-a-quarter cadence also points to an uncomfortable structural truth: the Windows kernel attack surface is large, the codebase is old, and vulnerability researchers are motivated. That combination is not going to produce a quiet back half of 2026. Teams that treat each kernel patch as an isolated event rather than part of an ongoing pattern will perpetually be reacting. The sustainable posture is to treat kernel EoP patching as a standing priority rather than a variable one, with agreed SLAs that do not require a per-patch risk assessment to trigger action.
Entra ID and the Payment Layer: Two Overlooked Criticals
Two Critical-rated CVEs in this release received table entries but no substantive analysis from the security community: CVE-2026-26148 in Azure Entra ID and CVE-2026-26125 in Microsoft's Payment Orchestrator Service. Both deserve attention that the headline numbers alone do not give them.
CVE-2026-26148 — Azure Entra ID Elevation of Privilege (CVSS 8.1)
CVE-2026-26148 is an EoP vulnerability in Azure Entra ID rated Critical with a CVSS score of 8.1. Entra ID is Microsoft's cloud identity platform, the successor to Azure Active Directory and the authentication backbone for a large share of enterprise Microsoft 365, Azure, and hybrid environments. An EoP flaw in the identity layer is categorically different from an EoP in a peripheral component. Privilege escalation within Entra ID could allow an attacker who has already obtained a foothold in a tenant to elevate their access level, potentially gaining administrative permissions over identity resources, conditional access policies, or privileged roles.
The specific exploitation mechanism has not been detailed in public advisories at time of publication, but the attack surface context matters regardless. Entra ID is woven into authentication workflows across cloud applications, hybrid on-premises environments, and federated identity configurations. Organizations that have adopted zero-trust architectures typically rely on Entra ID as a primary enforcement point for access control decisions. A compromised identity layer does not just expose one resource — it can cascade across everything downstream that trusts Entra's authentication signals. Any organization running Microsoft 365 or Azure workloads should treat this patch with the same urgency applied to the Office RCE flaws.
A standard EoP flaw elevates a local attacker on a single machine. An Entra ID EoP operates at the identity plane, where gaining a privileged role does not compromise one asset but rather the trust decisions that protect all assets. Conditional access policies, privileged identity management, and Privileged Access Workstation (PAW) controls all rely on Entra as the enforcement point.
If an attacker can elevate to Global Administrator or Privileged Role Administrator, they can modify conditional access policies to exempt their own activity, create persistent backdoor accounts, and access every application registered in the tenant. The CVSS score of 8.1 reflects technical difficulty; it does not reflect the blast radius of a successful escalation in a large Microsoft 365 tenant.
CVE-2026-26125 — Payment Orchestrator Service (CVSS 8.6)
CVE-2026-26125 is a Critical EoP vulnerability in the Payment Orchestrator Service scoring 8.6. For many security teams, the immediate question is: what is the Payment Orchestrator Service, and is it running in our environment?
The Payment Orchestrator Service is a Microsoft component involved in payment processing workflows, relevant primarily to organizations using Microsoft commercial transaction infrastructure or specific Microsoft 365 Commerce integrations. It is not a universally deployed component, but for organizations where it is present, an EoP vulnerability scoring 8.6 in a payment-adjacent service carries compliance implications beyond the patch itself. PCI DSS-scoped environments are required to track and remediate vulnerabilities in systems that touch cardholder data or payment workflows. Security teams in those organizations should confirm whether Payment Orchestrator Service falls within their compliance boundary and document remediation accordingly, not just apply the patch.
Both of these vulnerabilities illustrate a recurring dynamic in large Patch Tuesday releases: the headline CVEs draw attention, and the second tier of Criticals gets treated as background noise. The risk of that pattern is that a well-resourced attacker looks specifically for the overlooked patches — the ones that got a row in a table and nothing else — because those are the ones likely to remain unpatched longest.
The Copilot Problem: CVE-2026-26144
CVE-2026-26144 is a Critical-rated information disclosure vulnerability in Microsoft Excel with a CVSS score of 7.5. On the surface, a 7.5 information disclosure flaw might not appear to belong in the Critical tier. The rating reflects the specific mechanism of exploitation: this is a cross-site scripting flaw that Microsoft states can cause the Copilot Agent to exfiltrate data via unintended network egress, with no user interaction required.
That last phrase is critical. A zero-click exfiltration scenario means an attacker who can deliver a malicious Excel file into an environment where Microsoft 365 Copilot is active could trigger data leakage without the recipient taking any action beyond receiving the file. The attack weaponizes the AI layer — Copilot — as the exfiltration channel rather than exploiting traditional network paths.
Alex Vovk, CEO and Co-Founder of Action1, described the scenario as one where a single malicious Excel file interaction could silently redirect sensitive organizational data across the network, effectively converting an ordinary spreadsheet into a covert exfiltration tool.
This represents a new class of AI-adjacent attack surface that security teams need to actively plan for. The vulnerability is not in Copilot itself, but in Excel's input handling — Copilot simply becomes the vehicle through which exfiltrated data travels. Organizations deploying Microsoft 365 Copilot broadly, particularly in environments handling sensitive financial, legal, or HR data in Excel, should treat this patch as urgent regardless of the 7.5 CVSS score. CVSS does not factor in business context, data sensitivity, or the presence of AI tooling in the exfiltration path.
Traditional DLP controls monitor known egress paths: email attachments, web uploads, USB writes, and sanctioned cloud sync. The Copilot exfiltration vector exits via the Copilot agent's network activity — a path that most DLP configurations were not built to inspect, because AI agent network behavior was not a threat model consideration when those policies were written.
Even organizations with mature DLP programs may have a gap here. The practical question is: does your DLP tooling inspect outbound traffic from AI agent processes? Does your SIEM have signatures for anomalous Copilot network egress patterns? If the answer to either is uncertain, patching this CVE is table stakes, but auditing your AI monitoring coverage is the more durable control.
This is also the first confirmed case of an LLM-adjacent component being used as an exfiltration channel in a Microsoft Patch Tuesday disclosure. It will not be the last. AI integrations multiply egress paths faster than security programs have historically updated their threat models.
An MCP Server Vulnerability in Azure
CVE-2026-26118 is an EoP vulnerability in Azure Model Context Protocol (MCP) Server. An attacker can exploit it by sending crafted input to a vulnerable Azure MCP Server that accepts user-provided parameters, ultimately gaining elevated privileges. MCP is an open standard introduced in 2024 by Anthropic, designed to allow large language models to connect to external data sources and tools. Microsoft has adopted MCP as part of its Azure AI infrastructure, and this flaw marks the first Patch Tuesday appearance of an MCP-specific vulnerability.
The Azure MCP Server flaw is a practical consequence of integrating AI connectivity standards into enterprise cloud environments. As organizations wire LLMs into internal tooling through MCP, the protocol's server implementations become part of the security perimeter. That transition is happening faster than many security programs have updated their threat models to account for. MCP servers by design accept structured input from AI agents and route requests to external tools and data sources. Any implementation flaw in that input-handling layer introduces a privilege boundary that an attacker with access to the AI interaction layer could potentially cross.
This is the first time an MCP-specific CVE has appeared in a Microsoft Patch Tuesday release, but it is unlikely to be the last. The MCP ecosystem is growing rapidly, with dozens of server implementations across cloud providers, SaaS platforms, and enterprise tools. As each of those implementations matures, their attack surfaces will receive increasing scrutiny from security researchers — the same trajectory that API gateways and container runtimes followed in earlier years. The MCP server RCE and SSRF vulnerabilities in Atlassian's ecosystem illustrate that this attack class is already expanding beyond a single vendor. Security teams that have begun MCP deployments should start treating MCP server versions with the same patch discipline applied to other infrastructure components.
Non-standard patching mechanisms may be required for Azure IoT Explorer and Azure Linux Virtual Machine flaws also included in this release, as noted by Fortra's Reguly. Cloud and hybrid teams should confirm whether CVE-2026-26118 requires customer-side action or has been mitigated at the service level, and verify that their Azure MCP Server deployments are running patched versions.
For most Windows components, patching flows through Windows Update or WSUS. "Non-standard patching" means the fix does not arrive through that channel. Azure IoT Explorer is a standalone desktop application updated through GitHub releases, not Windows Update. Azure Linux Virtual Machine flaws may require customers to pull updated OS images or apply package updates through their distribution's package manager rather than waiting for a Windows Update delivery. Security teams managing these assets need to check Microsoft's advisory pages per CVE to determine the correct update path, rather than assuming the standard enterprise patch pipeline covers them.
The Semantic Kernel SDK Flaw
This release bundles a CVE in the Microsoft Semantic Kernel Python SDK among the ten republished non-Microsoft CVEs. The security community largely categorized it as a secondary priority item, but the nature of the affected component warrants more than a passing mention.
Semantic Kernel is Microsoft's open-source SDK for building AI applications, allowing developers to integrate LLMs into applications through a unified orchestration layer. It supports Python, C#, and Java, and is widely used in enterprise AI development as the programmatic foundation for agents, plugins, and AI-powered workflows. A vulnerability in an SDK at this layer does not expose a deployed service in the way a server-side flaw does. It exposes every application built on top of that SDK that has not been updated.
The relevant question for security teams is not whether Semantic Kernel is on the standard patch list — it almost certainly is not. The relevant question is whether developers in the organization are using it, and whether those development environments and deployed applications have dependency update processes that will surface this fix. SDK vulnerabilities frequently outlive their initial disclosure because the remediation path requires developer action rather than an IT patch deployment, and developer toolchains often lack the automated vulnerability tracking that infrastructure teams have in place. Organizations with active AI development practices should audit their Semantic Kernel dependency versions and confirm they are running a patched release.
Full Product Coverage
March 2026 Patch Tuesday patches span a wide cross-section of the Microsoft product catalog. The full list of affected products includes:
- .NET and ASP.NET Core
- Active Directory Domain Services
- Azure Arc, Azure Compute Gallery, Azure Entra ID, Azure IoT Explorer, Azure Linux Virtual Machines, Azure MCP Server, Azure Portal Windows Admin Center, Azure Windows Virtual Machine Agent
- Broadcast DVR
- Connected Devices Platform Service (Cdpsvc)
- Microsoft Authenticator
- Microsoft Brokering File System
- Microsoft Devices Pricing Program
- Microsoft Graphics Component
- Microsoft Office, Microsoft Office Excel, Microsoft Office SharePoint
- Payment Orchestrator Service
- Push Message Routing Service
- Role: Windows Hyper-V
- SQL Server
- System Center Operations Manager
- Windows Accessibility Infrastructure (ATBroker)
- Windows Kernel, Windows SMB Server, Winlogon, Windows Graphics Component
Adobe shipped 80 vulnerability fixes on the same day, covering Adobe Commerce and other products with high-severity flaws. IT teams managing mixed Microsoft and Adobe environments should coordinate patch scheduling across both vendors for March.
Key Takeaways for Security Teams
- Patch the Office Preview Pane RCEs first on endpoints and email infrastructure: CVE-2026-26110 and CVE-2026-26113 require no user interaction beyond previewing a file. Disable the Preview Pane as an interim control if patching is delayed, and apply attachment scanning at the email gateway.
- Treat CVE-2026-26144 as a data loss prevention event, not just a patch item: The zero-click Copilot exfiltration flaw affects any organization running Microsoft 365 Copilot in environments where Excel handles sensitive data. The CVSS score understates the business impact. Prioritize this patch regardless of severity rating.
- Accelerate SQL Server patching before CVE-2026-21262 is weaponized: The public disclosure of this EoP flaw before the patch was available compresses the timeline to exploitation. Any SQL Server instance accessible over an internal network should be patched promptly.
- Do not let CVE-2026-26148 and CVE-2026-26125 get lost in the noise: The Entra ID EoP and Payment Orchestrator Service EoP are Critical-rated vulnerabilities that received no headline attention. Entra ID is the identity backbone for Microsoft cloud environments. Payment Orchestrator may sit inside a PCI compliance boundary. Both deserve explicit prioritization, not just inclusion in a general patch wave.
- Review the six "Exploitation More Likely" EoPs against your endpoint controls: The Windows Kernel, SMB Server, Winlogon, and Accessibility Infrastructure flaws all assume an authenticated local attacker. Defense-in-depth measures — endpoint detection, least privilege, and lateral movement controls — reduce exposure while patches are validated and deployed.
- Inventory your cloud and AI infrastructure before assuming server-side mitigation: CVE-2026-21536 and some Azure flaws have already been mitigated server-side, but Azure IoT Explorer and Azure Linux VM CVEs require non-standard customer-side action. Confirm patch status per asset, not per product category. Check Semantic Kernel SDK versions in development environments and deployed applications separately from the standard patch pipeline.
- Treat the MCP CVE as a signal, not just a line item: CVE-2026-26118 is the first MCP-specific vulnerability on Patch Tuesday. Organizations deploying MCP servers as part of AI infrastructure should start version-tracking those components with the same discipline applied to API gateways and other middleware.
March 2026 Patch Tuesday is not the emergency that February's six actively exploited zero-days represented. But it is far from routine. The Preview Pane RCE attack vector, the AI-assisted exfiltration scenario, and the cluster of "Exploitation More Likely" kernel flaws together describe a release that touches attack surfaces ranging from a user's inbox to an organization's cloud identity layer. The overlooked Criticals — Entra ID, Payment Orchestrator, and the Semantic Kernel SDK — carry risks that do not disappear because they did not make the headline. Six Windows Kernel EoPs in three months is a trend worth building a response cadence around, not a series of isolated patch events. Patch promptly, prioritize by business exposure, and verify remediation across on-premises, cloud, and AI development assets before closing out the cycle.
Sources: Tenable Research, March 2026; SecurityWeek; Dark Reading; Dataconomy; SOCRadar; Splashtop; Redmond Magazine