Patch Tuesday - March 2026

Microsoft is publishing 77 vulnerabilities this March 2026 Patch Tuesday. Microsoft is aware of public disclosure of two of today’s vulnerabilities, but without evidence of exploitation in the wild for any (yet), so there are no Microsoft additions to CISA KEV today. Earlier in the month, Microsoft provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above.SQL Server: zero-day remote EoPSQL Server often goes several months in a row without any mention on Patch Tuesday. Today, however, all versions from the latest and greatest SQL Server 2025 back as far as SQL Server 2016 SP3 receive patches for CVE-2026-21262, a SQL Server elevation of privilege vulnerability. This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network. The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required.Microsoft is aware of public disclosure, so while they assess the likelihood of exploitation as less likely, it would be a courageous defender who shrugged and deferred the patches for this one. Most SQL Server admins and security teams concluded many years ago that exposing SQL Server directly to the internet was not a good idea. Then again, popular search engines for internet-connected devices describe tens of thousands of SQL Server instances, and they can’t all be honeypots.What could an attacker do as SQL Server sysadmin? Beyond exfiltrating or interfering with the database itself, the obvious target is xp_cmdshell, which allows direct callouts to the underlying OS. The good news is that xp_cmdshell is disabled by default as far back as SQL Server 2005; the bad news is that anyone acting as SQL Server sysadmin can enable it in seconds. At that point, the attacker is acting with the full privileges of the security context under which SQL Server runs, which is ideally a purpose-built account designed with least privilege in mind. If you want to hear some hair-raising stories, you have only to ask any incident response veteran if they’ve ever seen it set up differently.Anyone paying for Extended Security Updates (ESU) for SQL Server 2014 or SQL Server 2012 may be forgiven for wondering why there’s no security update for those venerable versions of the world’s most widely deployed closed-source database product. We can hope that the vulnerability described by CVE-2026-21262 was introduced in newer codebases only..NET: zero-day DoSAttackers fond of low-effort denial of service attacks against .NET applications will be checking out CVE-2026-26127 today. Microsoft is aware of public disclosure. While the immediate impact of exploitation is likely contained to denial of service by triggering a crash, opportunities for other types of attacks might emerge during a service reboot. Alternatively, if a log forwarder or security agent is impacted, even for a brief period of time, an attacker might carry out an attack in that moment hoping to evade detection under cover of this artificial darkness. Even if a low-skilled attacker simply causes downtime, in some contexts that could be enough to cause an SLA breach or loss of revenue, or at the very least cause a bleary-eyed defender to get paged in the middle of the night.Authenticator: QR code impersonationMicrosoft Authenticator mobile app users on both iOS and Android should update to the latest version to prevent exploitation of CVE-2026-26123, which involves a malicious app disguising itself as Microsoft Authenticator. Exploitation succeeds when the malicious app receives enough information to impersonate the user.Authenticator-type apps are often installed on a personal device, but it's not unusual for them to provide multi-factor authentication (MFA) codes for production services in a bring-your-own-device context. This is as good a time as any for defenders to consider how well their mobile device management policy covers app choice enforcement and patching for MFA apps.The CVSS v3 base score of 5.5 might appear unremarkable, and exploitation requires user interaction, since the user must install the malicious app in the first place. However, exploitation could begin via an attacker-controlled link, or even a malicious QR code that drives users to the malicious app, and a motivated attacker with a physical presence near the user base might well consider this option.According to Khaled Mohamed, the researcher who discovered this vulnerability, the legitimate Microsoft Authenticator app did not previously register itself as the handler for deep links into its own custom URL scheme. A malicious app could exploit this gap by simply registering itself as the default handler. He further notes that in this scenario, a user of a mobile device with a malicious app installed only needs to click a generic “Open link” dialog, rather than expressly selecting the malicious app each time. This means that the Microsoft advisory is perhaps too optimistic about how much user interaction is required to trigger exploitation.Microsoft ranks this vulnerability as important on their proprietary severity scale. The advisory also provides a brief peek behind the curtain, since the executive summary notes that “Cwe is not in rca”. The weakness listed on the advisory is CWE-939: Improper Authorization in Handler for Custom URL Scheme.Microsoft lifecycle updateThere are no significant Microsoft product lifecycle changes this month, unless you are responsible for a Microsoft SQL Server 2012 Parallel Data Warehouse instance, which moves beyond extended support as of March 31st. It would be wise not to count on a last-minute extension, since Microsoft has already granted a six month reprieve.Summary charts Summary tablesApps vulnerabilitiesCVETitleExploitation statusPublicly disclosed?CVSS v3 base scoreCVE-2026-26123Microsoft Authenticator Information Disclosure VulnerabilityExploitation Less LikelyNo5.5Azure vulnerabilitiesCVETitleExploitation statusPublicly disclosed?CVSS v3 base scoreCVE-2026-26117Arc Enabled Servers - Azure Connected Machine Agent Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.8CVE-2026-23664Azure IoT Explorer Information Disclosure VulnerabilityExploitation Less LikelyNo7.5CVE-2026-23661Azure IoT Explorer Information Disclosure VulnerabilityExploitation Less LikelyNo7.5CVE-2026-23662Azure IoT Explorer Information Disclosure VulnerabilityExploitation Less LikelyNo7.5CVE-2026-26121Azure IOT Explorer Spoofing VulnerabilityExploitation Less LikelyNo7.5CVE-2026-26118Azure MCP Server Tools Elevation of Privilege VulnerabilityExploitation Less LikelyNo8.8CVE-2026-26141Hybrid Worker Extension (Arc‑enabled Windows VMs) Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.8CVE-2026-23665Linux Azure Diagnostic extension (LAD) Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-26148Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege VulnerabilityExploitation UnlikelyNo8.1CVE-2026-23660Windows Admin Center in Azure Portal Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8Developer Tools vulnerabilitiesCVETitleExploitation statusPublicly disclosed?CVSS v3 base scoreCVE-2026-26127.NET Denial of Service VulnerabilityExploitation UnlikelyYes7.5CVE-2026-26131.NET Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-26130ASP.NET Core Denial of Service VulnerabilityExploitation Less LikelyNo7.5ESU vulnerabilitiesCVETitleExploitation statusPublicly disclosed?CVSS v3 base scoreCVE-2026-25177Active Directory Domain Services Elevation of Privilege VulnerabilityExploitation Less LikelyNo8.8CVE-2026-23667Broadcast DVR Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.0CVE-2026-25190GDI Remote Code Execution VulnerabilityExploitation Less LikelyNo7.8CVE-2026-25181GDI+ Information Disclosure VulnerabilityExploitation Less LikelyNo7.5CVE-2026-23674MapUrlToZone Security Feature Bypass VulnerabilityExploitation UnlikelyNo7.5CVE-2026-25165Performance Counters for Windows Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.8CVE-2026-24282Push message Routing Service Elevation of Privilege VulnerabilityExploitation Less LikelyNo5.5CVE-2026-24285Win32k Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-24291Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege VulnerabilityExploitation More LikelyNo7.8CVE-2026-25186Windows Accessibility Infrastructure (ATBroker.exe) Information Disclosure VulnerabilityExploitation Less LikelyNo5.5CVE-2026-24293Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-25176Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-25178Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-25179Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-25171Windows Authentication Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-23671Windows Bluetooth RFCOM Protocol Driver Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-24292Windows Connected Devices Platform Service Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-24295Windows Device Association Service Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-24296Windows Device Association Service Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.0CVE-2026-25189Windows DWM Core Library Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-25174Windows Extensible File Allocation Table Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.8CVE-2026-25168Windows Graphics Component Denial of Service VulnerabilityExploitation Less LikelyNo6.2CVE-2026-25169Windows Graphics Component Denial of Service VulnerabilityExploitation Less LikelyNo6.2CVE-2026-23668Windows Graphics Component Elevation of Privilege VulnerabilityExploitation More LikelyNo7.0CVE-2026-25180Windows Graphics Component Information Disclosure VulnerabilityExploitation Less LikelyNo5.5CVE-2026-24297Windows Kerberos Security Feature Bypass VulnerabilityExploitation Less LikelyNo6.5CVE-2026-24287Windows Kernel Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-24289Windows Kernel Elevation of Privilege VulnerabilityExploitation More LikelyNo7.8CVE-2026-26132Windows Kernel Elevation of Privilege VulnerabilityExploitation More LikelyNo7.8CVE-2026-24288Windows Mobile Broadband Driver Remote Code Execution VulnerabilityExploitation Less LikelyNo6.8CVE-2026-25175Windows NTFS Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-23669Windows Print Spooler Remote Code Execution VulnerabilityExploitation Less LikelyNo8.8CVE-2026-24290Windows Projected File System Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-23673Windows Resilient File System (ReFS) Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.8CVE-2026-25172Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityExploitation Less LikelyNo8.8CVE-2026-25173Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityExploitation Less LikelyNo8.0CVE-2026-26111Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityExploitation Less LikelyNo8.8CVE-2026-25185Windows Shell Link Processing Spoofing VulnerabilityExploitation Less LikelyNo5.3CVE-2026-24294Windows SMB Server Elevation of Privilege VulnerabilityExploitation More LikelyNo7.8CVE-2026-26128Windows SMB Server Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-25166Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution VulnerabilityExploitation UnlikelyNo7.8CVE-2026-25188Windows Telephony Service Elevation of Privilege VulnerabilityExploitation UnlikelyNo8.8CVE-2026-23672Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.8CVE-2026-25187Winlogon Elevation of Privilege VulnerabilityExploitation More LikelyNo7.8Microsoft Office vulnerabilitiesCVETitleExploitation statusPublicly disclosed?CVSS v3 base scoreCVE-2026-26144Microsoft Excel Information Disclosure VulnerabilityExploitation UnlikelyNo7.5CVE-2026-26112Microsoft Excel Remote Code Execution VulnerabilityExploitation Less LikelyNo7.8CVE-2026-26107Microsoft Excel Remote Code Execution VulnerabilityExploitation Less LikelyNo7.8CVE-2026-26108Microsoft Excel Remote Code Execution VulnerabilityExploitation Less LikelyNo7.8CVE-2026-26109Microsoft Excel Remote Code Execution VulnerabilityExploitation UnlikelyNo8.4CVE-2026-26134Microsoft Office Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-26113Microsoft Office Remote Code Execution VulnerabilityExploitation Less LikelyNo8.4CVE-2026-26110Microsoft Office Remote Code Execution VulnerabilityExploitation Less LikelyNo8.4CVE-2026-26114Microsoft SharePoint Server Remote Code Execution VulnerabilityExploitation Less LikelyNo8.8CVE-2026-26106Microsoft SharePoint Server Remote Code Execution VulnerabilityExploitation Less LikelyNo8.8CVE-2026-26105Microsoft SharePoint Server Spoofing VulnerabilityExploitation Less LikelyNo8.1CVE-2026-24285Win32k Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-25180Windows Graphics Component Information Disclosure VulnerabilityExploitation Less LikelyNo5.5Open Source Software vulnerabilitiesCVETitleExploitation statusPublicly disclosed?CVSS v3 base scoreCVE-2026-26030GitHub: CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerableExploitation UnlikelyNo9.9CVE-2026-23654GitHub: Zero Shot SCFoundation Remote Code Execution VulnerabilityExploitation UnlikelyNo8.8SQL Server vulnerabilitiesCVETitleExploitation statusPublicly disclosed?CVSS v3 base scoreCVE-2026-21262SQL Server Elevation of Privilege VulnerabilityExploitation Less LikelyYes8.8CVE-2026-26115SQL Server Elevation of Privilege VulnerabilityExploitation Less LikelyNo8.8CVE-2026-26116SQL Server Elevation of Privilege VulnerabilityExploitation Less LikelyNo8.8System Center vulnerabilitiesCVETitleExploitation statusPublicly disclosed?CVSS v3 base scoreCVE-2026-20967System Center Operations Manager (SCOM) Elevation of Privilege VulnerabilityExploitation Less LikelyNo8.8Windows vulnerabilitiesCVETitleExploitation statusPublicly disclosed?CVSS v3 base scoreCVE-2026-25177Active Directory Domain Services Elevation of Privilege VulnerabilityExploitation Less LikelyNo8.8CVE-2026-23667Broadcast DVR Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.0CVE-2026-25190GDI Remote Code Execution VulnerabilityExploitation Less LikelyNo7.8CVE-2026-25181GDI+ Information Disclosure VulnerabilityExploitation Less LikelyNo7.5CVE-2026-23674MapUrlToZone Security Feature Bypass VulnerabilityExploitation UnlikelyNo7.5CVE-2026-25167Microsoft Brokering File System Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.4CVE-2026-24283Multiple UNC Provider Kernel Driver Elevation of Privilege VulnerabilityExploitation Less LikelyNo8.8CVE-2026-25165Performance Counters for Windows Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.8CVE-2026-24282Push message Routing Service Elevation of Privilege VulnerabilityExploitation Less LikelyNo5.5CVE-2026-24285Win32k Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-24291Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege VulnerabilityExploitation More LikelyNo7.8CVE-2026-25186Windows Accessibility Infrastructure (ATBroker.exe) Information Disclosure VulnerabilityExploitation Less LikelyNo5.5CVE-2026-24293Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-25176Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-25178Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-25179Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-23656Windows App Installer Spoofing VulnerabilityExploitation UnlikelyNoCVE-2026-25171Windows Authentication Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-23671Windows Bluetooth RFCOM Protocol Driver Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-24292Windows Connected Devices Platform Service Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-24295Windows Device Association Service Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-24296Windows Device Association Service Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.0CVE-2026-25189Windows DWM Core Library Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-25174Windows Extensible File Allocation Table Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.8CVE-2026-25168Windows Graphics Component Denial of Service VulnerabilityExploitation Less LikelyNo6.2CVE-2026-25169Windows Graphics Component Denial of Service VulnerabilityExploitation Less LikelyNo6.2CVE-2026-23668Windows Graphics Component Elevation of Privilege VulnerabilityExploitation More LikelyNo7.0CVE-2026-25180Windows Graphics Component Information Disclosure VulnerabilityExploitation Less LikelyNo5.5CVE-2026-25170Windows Hyper-V Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.0CVE-2026-24297Windows Kerberos Security Feature Bypass VulnerabilityExploitation Less LikelyNo6.5CVE-2026-24287Windows Kernel Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-24289Windows Kernel Elevation of Privilege VulnerabilityExploitation More LikelyNo7.8CVE-2026-26132Windows Kernel Elevation of Privilege VulnerabilityExploitation More LikelyNo7.8CVE-2026-24288Windows Mobile Broadband Driver Remote Code Execution VulnerabilityExploitation Less LikelyNo6.8CVE-2026-25175Windows NTFS Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-23669Windows Print Spooler Remote Code Execution VulnerabilityExploitation Less LikelyNo8.8CVE-2026-24290Windows Projected File System Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-23673Windows Resilient File System (ReFS) Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.8CVE-2026-25172Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityExploitation Less LikelyNo8.8CVE-2026-25173Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityExploitation Less LikelyNo8.0CVE-2026-26111Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityExploitation Less LikelyNo8.8CVE-2026-25185Windows Shell Link Processing Spoofing VulnerabilityExploitation Less LikelyNo5.3CVE-2026-24294Windows SMB Server Elevation of Privilege VulnerabilityExploitation More LikelyNo7.8CVE-2026-26128Windows SMB Server Elevation of Privilege VulnerabilityExploitation Less LikelyNo7.8CVE-2026-25166Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution VulnerabilityExploitation UnlikelyNo7.8CVE-2026-25188Windows Telephony Service Elevation of Privilege VulnerabilityExploitation UnlikelyNo8.8CVE-2026-23672Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege VulnerabilityExploitation UnlikelyNo7.8CVE-2026-25187Winlogon Elevation of Privilege VulnerabilityExploitation More LikelyNo7.8Zero-Day Vulnerabilities: Publicly Disclosed (No known exploitation)CVETitleExploitation statusPublicly disclosed?CVSS v3 base scoreCVE-2026-26127.NET Denial of Service VulnerabilityExploitation UnlikelyYes7.5CVE-2026-21262SQL Server Elevation of Privilege VulnerabilityExploitation Less LikelyYes8.8Update history2026-03-16: updated section on CVE-2026-26123 to include researcher commentary.Article TagsVulnerability ManagementPatch TuesdayAdam BarnettAuthor PostsRelated blog posts