Microsoft Releases Tuesday Patch-March 2026; Fixed 83 Flaws
Microsoft Tuesday Patch fixes 83 Vulnerabilities Including 2 Actively Exploited Zero-Days
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2026-03-10 |
| No. of Patches | 83 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Microsoft patched a total of 83 flaws across Windows, Office, SQL Server, Azure, and more on March 10, 2026. The updates tackle 46 elevations of privilege issues, 18 remote code executions, and others like denial of service and info leaks.
Key highlights include two zero-days in SQL Server letting attackers grab admin rights over the network, and in .NET causing DoS crashes.
Three critical vulns stand out, two being Office RCEs exploitable via preview pane.
Here are the CVE addresses for Microsoft & non-Microsoft:
- 83 Microsoft CVEs addressed
Breakdown of March 2026 Vulnerabilities
- 45 Elevation of Privilege (EoP)
- 18 Remote Code Execution (RCE)
- 10 Information Disclosure
- 4 Denial of Service (DoS)
- 2 Security Feature Bypass
- 4 Spoofing
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Azure Compute Gallery Confidential Containers Elevation of Privilege | CVE-2026-23651 | Azure Compute Gallery | Critical | 9.0 |
| Azure Compute Gallery Confidential Containers Elevation of Privilege | CVE-2026-26124 | Azure Compute Gallery | Critical | 9.0 |
| Azure Compute Gallery Confidential Containers Information Disclosure | CVE-2026-26122 | Azure Compute Gallery | Critical | 9.1 |
| Microsoft Office Remote Code Execution | CVE-2026-26110 | Microsoft Office | Critical | 8.8 |
| Microsoft Office Remote Code Execution | CVE-2026-26113 | Microsoft Office | Critical | 8.8 |
| Microsoft Devices Pricing Program Remote Code Execution | CVE-2026-21536 | Microsoft Devices Pricing Program | Critical | 9.8 |
| Payment Orchestrator Service Elevation of Privilege | CVE-2026-26125 | Payment Orchestrator Service | Critical | 9.8 |
| SQL Server Native Client Remote Code Execution (Zero-Day) | CVE-2026-21262 | SQL Server Native Client | Important | 8.8 |
| .NET and .NET Framework Denial of Service (Zero-Day) | CVE-2026-26127 | .NET and .NET Framework | Important | 7.5 |
Technical Summary
Most bugs are elevation of privilege (46 total), with Windows components like Kernel, NTFS, and SMB heavily hit. Office sees multiple RCEs and a nasty Excel info disclosure that could leak data through Copilot agents.
Azure has critical ACI container flaws for priv esc and info disclosure. No zero-days under active attack, but SQL Server’s improper access control and .NET’s out-of-bounds read are now fixed update SQL and .NET apps first.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2026-23651 | Azure Compute Gallery Confidential Containers | Privilege handling flaw enables container escape to host privileges | Elevation of Privilege |
| CVE-2026-26124 | Azure Compute Gallery Confidential Containers | Container boundary violation allows priv esc to full VM control | Elevation of Privilege |
| CVE-2026-26122 | Azure Compute Gallery Confidential Containers | Config leak exposes sensitive container data to unauthorized access | Information Disclosure |
| CVE-2026-26110 | Microsoft Office | Preview pane triggers code execution from malicious docs | Remote Code Execution |
| CVE-2026-26113 | Microsoft Office | File parsing flaw runs arbitrary code during document preview | Remote Code Execution |
| CVE-2026-21536 | Microsoft Devices Pricing Program | Remote unauth code execution via service endpoint abuse | Remote Code Execution |
| CVE-2026-26125 | Payment Orchestrator Service | Auth bypass grants elevated access to payment processing | Elevation of Privilege |
| CVE-2026-21262 | SQL Server Native Client | Improper access control allows remote attackers to gain admin privileges without auth (Zero-Day) | Elevation of Privilege |
| CVE-2026-26127 | .NET and .NET Framework | Out-of-bounds read causes denial of service crashes on malformed input (Zero-Day) | Denial of Service |
Key Affected Products and Services
March 2026 updates address vulnerabilities across:
- Windows Core Components
Kernel, NTFS, SMB, SQL Server Native Client
- Microsoft Office Suite
Word, Excel; RCE via preview pane and data leaks
- Azure & Cloud Services
Compute Gallery Confidential Containers, Payment Orchestrator
- .NET Framework and Developer Tool
.NET apps, runtime components prone to crashes
- Server and Database Services
SQL Server for remote priv esc risks
Remediation:
- Install the March 2026 security updates immediately on endpoints, servers, and cloud instances.
- Monitor for SQL admin grabs, .NET DoS spikes, Office preview exploits, or Azure container breaks.
- Prioritize SQL Server, Office, and Azure patches—test in pentest labs first, then roll out wide.
- Layer on EDR for zero-day detection, restrict SQL remote access, and audit .NET dependencies.
Conclusion:
Get these patches rolled out fast, especially on Office and server setups pentesters chain these priv esc bugs all the time.
No active exploits reported yet, but don’t wait around. Check vendor notes for Adobe and others syncing up this month too.
References:
Recent Comments