Microsoft’s Patch Tuesday Campaign in March Patched Two Zero-Day Vulnerabilities.
After a massive security update last month , Microsoft’s “Patch Tuesday” update in March looks relatively modest: among the 83 vulnerabilities fixed, only two were publicly disclosed as zero-day vulnerabilities.
According to BleepingComputer , the breakdown of security vulnerabilities is as follows: 46 privilege escalation vulnerabilities, two security feature bypass vulnerabilities, 18 remote code execution vulnerabilities, 10 information disclosure vulnerabilities, four denial of service vulnerabilities, and four address spoofing vulnerabilities. Two of the remote code execution vulnerabilities and one information disclosure vulnerability are rated “critical.”
The Patch Tuesday update typically goes live at 10:00 AM PT on the second Tuesday of each month.
The update, released Tuesday, revealed two zero-day vulnerabilities that were made publicly known.
Zero-day vulnerabilities are flaws that were either actively exploited by attackers or publicly disclosed before the developer released an official patch. This month, both zero-day vulnerabilities currently being patched were publicly disclosed, but Microsoft has not reported that either was actively exploited by attackers.
The first vulnerability, designated CVE-2026-21262 , is a privilege escalation vulnerability in SQL Server that grants an authenticated attacker SQL Server administrator privileges over the network. It was discovered by Erland Sommarskog. The second zero-day vulnerability, designated CVE-2026-26127 , is a denial of service vulnerability in .NET, attributed to an anonymous researcher.
The March update also includes two patches for remote code execution vulnerabilities in Microsoft Office and a number of fixes for flaws in Microsoft Excel, so users should ensure those applications are also updated.