ANAVEM
FR
Windows Update screen showing security patches being installed on computer monitor
CriticalCVE-2026-21262, CVE-2026-26110Security Updates

Microsoft Patch Tuesday March 2026: 79 Flaws Fixed Including 2 Zero-Days and Critical Office RCEs

Microsoft's March 2026 Patch Tuesday (March 10) patches 79 vulnerabilities including 2 publicly disclosed zero-days (CVE-2026-21262 SQL Server EoP), 3 Critical flaws, and two Office RCEs (CVE-2026-26110, CVE-2026-26113) exploitable via the preview pane — plus a dangerous Excel/Copilot data exfiltration flaw (CVE-2026-26144).

Emanuel DE ALMEIDA 10 Mar 2026, 18:49 6 min read 4 views 0 Comments

Last updated 11 Mar 2026, 00:27

Key Takeaways

  • Patch count: 79 CVEs fixed — 3 Critical (2 RCE, 1 info disclosure), 76 Important
  • Zero-days: 2 publicly disclosed — CVE-2026-21262 (SQL Server EoP) + .NET DoS flaw — none confirmed exploited in the wild
  • Critical Office RCEs: CVE-2026-26110 & CVE-2026-26113 — exploitable via preview pane, no user click required
  • Copilot exfiltration risk: CVE-2026-26144 (Excel) — zero-click data exfiltration via Microsoft Copilot Agent mode
  • Context: Follows February 2026’s 6 actively exploited zero-days including APT28-linked CVE-2026-21513 (CVSS 8.8)
  • Secure Boot: New 2023 certificates deployed ahead of June 2026 expiration of original 2011 certificates

Microsoft March 2026 Patch Tuesday: Overview

Microsoft released its March 2026 Patch Tuesday on March 10, 2026, patching 79 security vulnerabilities across Windows, Office, Azure, and related products. The update includes 2 publicly disclosed zero-days, 3 Critical-rated flaws (2 remote code execution, 1 information disclosure), and dozens of Important-severity issues. None of the zero-days are confirmed as actively exploited in the wild at time of release, but the context follows February 2026's unprecedented six actively exploited zero-days.

Microsoft also continues deploying updated Secure Boot certificates ahead of the June 2026 expiration of the original 2011 certificates — making this cycle particularly important for organizations managing endpoint integrity.

Two Publicly Disclosed Zero-Days

This month's Patch Tuesday fixes two zero-day vulnerabilities that were publicly disclosed before patches were available:

  • CVE-2026-21262 — SQL Server Elevation of Privilege Vulnerability. Publicly disclosed prior to this patch cycle. Allows an attacker to gain elevated privileges on affected SQL Server instances.
  • .NET Denial of Service Flaw — An out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. Attributed to an anonymous researcher and publicly disclosed before the fix.

Microsoft classifies a zero-day as any vulnerability that was publicly disclosed or actively exploited before an official fix was available. Neither of this month's zero-days have confirmed in-the-wild exploitation as of the March 10 release.

Critical Office RCEs Exploitable via Preview Pane

Two Critical remote code execution vulnerabilities in Microsoft Office stand out as high-priority patches this month:

  • CVE-2026-26110 — Microsoft Office Remote Code Execution. Can be triggered through the preview pane, meaning no user interaction beyond opening a folder is required.
  • CVE-2026-26113 — Microsoft Office Remote Code Execution. Also exploitable via the preview pane, making both flaws particularly dangerous in enterprise environments where document previews are common.

Security teams should prioritize patching Office installations immediately, as preview-pane exploitation significantly lowers the attack barrier — victims do not need to open or execute a file for the exploit to trigger.

Excel and Microsoft Copilot Data Exfiltration Flaw (CVE-2026-26144)

A notable information disclosure vulnerability, CVE-2026-26144, affects Microsoft Excel in conjunction with Microsoft Copilot's Agent mode. According to Microsoft's advisory, an attacker who successfully exploits this vulnerability could cause Copilot Agent mode to exfiltrate data via unintended network egress — enabling a zero-click information disclosure attack.

This is particularly concerning for enterprise environments using Microsoft 365 Copilot with connected data sources, as sensitive documents or business data could be exfiltrated without any user action once an attacker has crafted a malicious file that reaches the victim's system.

Context: Following February 2026's Six Actively Exploited Zero-Days

March's release arrives in the wake of February 2026's alarming Patch Tuesday, which addressed 59 vulnerabilities including six actively exploited zero-days — one of the most critical Patch Tuesday releases in recent history. Those included flaws in the MSHTML Framework (CVE-2026-21513, CVSS 8.8, linked to Russia-linked APT28), Microsoft Word, Desktop Window Manager, Windows Shell, and Remote Desktop Services.

The APT28-linked CVE-2026-21513 — patched in February — involved a specially crafted Windows Shortcut (LNK) file embedding an HTML payload, exploiting nested iframes to manipulate trust boundaries and bypass Mark of the Web (MotW) protections. The attack leveraged infrastructure at wellnesscaremed[.]com to deliver multistage payloads targeting government and enterprise networks.

Full Breakdown by Severity and Category

The 79 CVEs patched in March 2026 break down as follows:

  • Critical: 3 (2 RCE, 1 Information Disclosure)
  • Important: 76 (including EoP, DoS, Spoofing, and additional RCEs)
  • Zero-days (publicly disclosed): 2 (CVE-2026-21262, .NET DoS)
  • Affected products: Windows, Microsoft Office, Excel, Azure IoT Explorer, Azure Linux VMs, Azure MCP Server, Windows Admin Center, Windows SMB Server, Windows Shell Link Processing

What Security Teams Should Do Now

Given the preview-pane RCEs and the Copilot data exfiltration flaw, security teams should treat this as a high-priority patch cycle:

  • Patch Microsoft Office immediately — CVE-2026-26110 and CVE-2026-26113 are exploitable without user file execution
  • Update Microsoft Excel / Microsoft 365 to address CVE-2026-26144 Copilot exfiltration risk
  • Apply SQL Server patches to remediate CVE-2026-21262
  • Deploy via Windows Update or WSUS — Microsoft recommends immediate installation for all supported versions
  • Review Secure Boot certificate updates — new 2023 certificates are being deployed ahead of June 2026 expiration of original 2011 certificates

Frequently Asked Questions

What zero-day vulnerabilities did Microsoft patch in March 2026 Patch Tuesday?
Microsoft's March 2026 Patch Tuesday includes two publicly disclosed zero-days: CVE-2026-21262 (SQL Server Elevation of Privilege) and a .NET Denial of Service flaw. Neither is confirmed as actively exploited in the wild as of the March 10 release.
Are the Office RCEs in March 2026 Patch Tuesday exploitable without clicking?
Yes. CVE-2026-26110 and CVE-2026-26113 are Critical-rated Microsoft Office RCE vulnerabilities that can be triggered via the Preview Pane, meaning a victim does not need to open or execute a file for the exploit to activate.
What is the CVE-2026-26144 Excel Copilot vulnerability?
CVE-2026-26144 is an information disclosure flaw in Microsoft Excel that can cause Microsoft Copilot Agent mode to exfiltrate sensitive data via unintended network egress, enabling a zero-click data theft attack in Microsoft 365 environments.
#patch-tuesday#zero-day#microsoft

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...

Related Tutorials

Learn more about this topic with our step-by-step guides

How to Check if Your PC Has the New Secure Boot 2023 Certificates (Windows UEFI CA 2023)
Intermediate
Cybersecurity

How to Check if Your PC Has the New Secure Boot 2023 Certificates (Windows UEFI CA 2023)

Microsoft's three original Secure Boot certificates (issued in 2011) begin expiring in June 2026. Windows is automatically rolling out the replacement 2023 certificates (Windows UEFI CA 2023, Microsoft UEFI CA 2023, KEK 2K CA 2023) via Windows Update. This guide shows you exactly how to check if your Windows 10 or 11 PC has already received the new certificates — using one PowerShell command.

8 steps
IT administrator configuring USB blocking policies in Microsoft Intune admin center
Intermediate
Cybersecurity

How to Block USB Drives Using Microsoft Intune Attack Surface Reduction Policies

Configure Microsoft Intune Attack Surface Reduction policies to prevent USB drive access on Windows 10/11 devices, protecting against data breaches and malware threats through removable storage restrictions.

10 steps
IT administrator configuring Windows LAPS with Microsoft Intune on multiple monitors
Intermediate
Cybersecurity

How to Set Up Windows LAPS with Microsoft Intune for Enhanced Security

Configure Windows Local Administrator Password Solution (LAPS) with Microsoft Intune to automatically manage and secure local administrator passwords across Windows devices in your organization.

6 steps
All Tutorials

Related Intelligence

Enterprise network switch with security warning in server room
Critical
Vulnerabilities

HPE Patches Five Critical AOS-CX Flaws: RCE, Privilege Escalation and Session Hijacking

Mar 10, 06:30 PM2 min
Corrupted ZIP files with malicious code emerging on computer screen
Medium
Malware

Zombie ZIP: How Malformed Archives Let Malware Slip Past Antivirus and EDR Tools

Mar 10, 09:05 PM5 min
BeatBanker Android Banking Malware 2026: Fake Starlink App Steals Banking Credentials
High
Malware

BeatBanker Android Banking Malware 2026: Fake Starlink App Steals Banking Credentials

Mar 10, 10:27 PM2 min
Cybersecurity threat visualization showing compromised network infrastructure with warning indicators
High
Malware

BlackSanta EDR Killer: Russian Hackers Use HR Departments to Disable Enterprise Security Tools

Mar 10, 11:57 PM2 min