CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft March 2026 Patch Tuesday Addresses 2 Zero-Days and 84 Flaws

First reported
Last updated
5 unique sources, 5 articles

Summary

Hide ▲

Microsoft's March 2026 Patch Tuesday addresses 84 vulnerabilities, including 2 publicly disclosed zero-day flaws. The updates fix critical vulnerabilities, including remote code execution flaws and information disclosure flaws. The patches cover a range of vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing. Notably, CVE-2026-21262 allows attackers to elevate privileges to sysadmin over a network on SQL Server 2016 and later editions. Additionally, Microsoft fixed two remote code execution bugs in Microsoft Office that can be exploited via the preview pane. A notable flaw in Microsoft Excel could allow data exfiltration via Microsoft Copilot. The updates also include patches for nine browser vulnerabilities and an out-of-band update for Windows Server 2022 to address a certificate renewal issue with Windows Hello for Business. Microsoft is changing the default behavior of Windows Autopatch to enable hotpatch security updates starting with the May 2026 Windows security update.

Timeline

  1. 10.03.2026 19:49 5 articles · 17h ago

    Microsoft March 2026 Patch Tuesday Addresses 2 Zero-Days and 79 Flaws

    Microsoft's March 2026 Patch Tuesday addresses 84 vulnerabilities, including 2 publicly disclosed zero-day flaws. The updates fix critical vulnerabilities, including remote code execution flaws and information disclosure flaws. The patches cover a range of vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing. Notably, CVE-2026-21262 allows attackers to elevate privileges to sysadmin over a network on SQL Server 2016 and later editions. Additionally, Microsoft fixed two remote code execution bugs in Microsoft Office that can be exploited via the preview pane. A notable flaw in Microsoft Excel could allow data exfiltration via Microsoft Copilot. The updates also include patches for nine browser vulnerabilities and an out-of-band update for Windows Server 2022 to address a certificate renewal issue with Windows Hello for Business. Microsoft is changing the default behavior of Windows Autopatch to enable hotpatch security updates starting with the May 2026 Windows security update. The article provides additional details on the two zero-day vulnerabilities addressed in the March 2026 Patch Tuesday. CVE-2026-21262 is an SQL Server elevation of privilege (EoP) bug with a CVSS score of 8.8, which requires low-level privileges and is assessed as less likely to be exploited. CVE-2026-26127 is a denial-of-service flaw in .NET that could have serious exploitation implications, including potential downtime and SLA breaches. The article also highlights that the vast majority of the CVEs addressed are elevation of privilege vulnerabilities.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft February 2026 Patch Tuesday Addresses 6 Zero-Days and 59 Flaws

Microsoft's February 2026 Patch Tuesday addresses 59 vulnerabilities, including 6 actively exploited zero-days and 3 publicly disclosed flaws. The updates include fixes for 5 critical vulnerabilities, with three being security feature bypass flaws in various Microsoft products. The zero-days span components such as Windows Shell, MSHTML Framework, Microsoft Word, Desktop Window Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services. Microsoft issued an out-of-band patch for one of the zero-days, CVE-2026-21514, highlighting its urgency. The updates also cover a range of other vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing flaws. Additionally, Microsoft has begun rolling out updated Secure Boot certificates to replace expiring 2011 certificates. Other vendors, including Adobe, BeyondTrust, CISA, Cisco, Fortinet, Google, n8n, and SAP, have also released security updates or advisories.

Open in new tab

Microsoft January 2026 Patch Tuesday Addresses 3 Zero-Days, 114 Flaws

Microsoft's January 2026 Patch Tuesday addressed 114 vulnerabilities, including three zero-days: one actively exploited (CVE-2026-20805) and two publicly disclosed (CVE-2026-21265 and CVE-2023-31096). The updates covered a range of flaw types, with eight classified as 'Critical,' including remote code execution and elevation-of-privilege vulnerabilities. Additionally, Microsoft released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability (CVE-2026-21509) exploited in attacks, affecting multiple Office versions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20805 and CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the latest fixes by February 3, 2026, and February 16, 2026, respectively. The flaw was discovered by the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC), and the Office Product Group Security Team, and affects several versions of Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise.

Open in new tab

Microsoft December 2025 Patch Tuesday addresses 3 zero-days, 56 flaws

Microsoft's December 2025 Patch Tuesday addresses 56 vulnerabilities, including three zero-days. One zero-day (CVE-2025-62221) is actively exploited, allowing privilege escalation in Windows Cloud Files Mini Filter Driver. Two other zero-days (CVE-2025-64671, CVE-2025-54100) are publicly disclosed, affecting GitHub Copilot for JetBrains and PowerShell. The updates also fix 3 critical remote code execution vulnerabilities. Additionally, Microsoft released the KB5071546 extended security update for Windows 10 Enterprise LTSC and ESU program participants, addressing the same vulnerabilities and updating Windows 10 to build 19045.6691 and Windows 10 Enterprise LTSC 2021 to build 19044.6691. The update includes a fix for CVE-2025-54100, a remote code execution zero-day vulnerability in PowerShell, and introduces a confirmation prompt with a security warning for script execution risk when using the Invoke-WebRequest command in PowerShell 5.1. Microsoft patched a total of 1,275 CVEs in 2025, according to data compiled by Fortra. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-62221 to the Known Exploited Vulnerabilities (KEV) catalog, mandating FCEB agencies to apply the patch by December 30, 2025. The remaining two zero-days, CVE-2025-54100 and CVE-2025-64671, are part of a broader set of security vulnerabilities collectively named IDEsaster, affecting multiple AI coding platforms.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

Open in new tab

HTTP Request Smuggling Vulnerability in ASP.NET Core Kestrel Web Server

Microsoft patched a high-severity HTTP request smuggling vulnerability (CVE-2025-55315) in the Kestrel web server for ASP.NET Core. The flaw could allow authenticated attackers to hijack user credentials or bypass security controls. The vulnerability affects multiple versions of ASP.NET Core and has been addressed with security updates. Microsoft advises developers and users to update their applications to mitigate potential attacks.

Open in new tab