Microsoft Patch Tuesday Analysis – March 2026

Executive Summary

On Tuesday, 10.03.2026, Microsoft released its monthly security update addressing 83 vulnerabilities in its products.

By severity category:

• Elevation of Privilege - 46;
• Remote Code Execution - 17;
• Spoofing - 4;
• Information Disclosure - 10;
• Security Feature Bypass - 2;
• Denial of Service - 4.

Exploited (Zero-Days) and Publicly Disclosed Vulnerabilities

Special attention should be paid to the following 2 vulnerabilities. Fixing them is the highest priority:

• CVE-2026-21262 (CVSS 8.8; Elevation of Privilege) - SQL Server Elevation of Privilege Vulnerability (Elevation of Privilege). The vulnerability is related to improper access control (CWE‑284) in Microsoft SQL Server. An authenticated attacker with low privileges (PR:L) can exploit this issue over the network to elevate privileges to the sysadmin level. The issue affects multiple versions including SQL Server 2016–2025 and is fixed via cumulative updates (CU) or general distribution releases (GDR).
• CVE-2026-26127 (CVSS 7.5; Denial of Service) - .NET Denial of Service Vulnerability (Denial of Service). This vulnerability allows a remote unauthenticated attacker to trigger a denial‑of‑service (DoS) condition over the network without user interaction. The issue is caused by an out‑of‑bounds read (CWE‑125) when the .NET platform processes specially crafted data. Exploitation can crash network applications or services using the vulnerable runtime.

General Overview and Trends

The March Patch Tuesday 2026 release shows some stabilization after the “zero‑day storm” in February. Microsoft fixed 83 vulnerabilities, which is an average number for this year. Despite the absence (at the time of publication) of actively exploited vulnerabilities, the month still carries elevated risk due to public disclosures and critical threats to server infrastructure.

• Public disclosure risks: Two serious vulnerabilities — in SQL Server and .NET — were publicly disclosed before patches were released. This significantly shortens patch deployment timelines.
• Focus on critical server infrastructure: March became a “server month”. Updates affected Active Directory (AD DS), SQL Server, SharePoint Server and System Center Operations Manager (SCOM).
• Dominance of Elevation of Privilege (EoP): More than half of the fixes (46 of 83) address privilege escalation vulnerabilities.
• Persistent RCE threats: Remote code execution vulnerabilities continue appearing in components such as Print Spooler and RRAS.
• Cloud and hybrid environments: Microsoft continues patching vulnerabilities in Azure Connected Machine Agent, Hybrid Worker and Confidential Containers.

Full List of Vulnerabilities

The table below lists all vulnerabilities fixed this month.

Retrospective Analysis of Vulnerabilities

• CVE-2026-20817 — Windows Error Reporting Service Elevation of Privilege Vulnerability. A local vulnerability in Windows Error Reporting allowing an attacker to escalate privileges to SYSTEM.
• CVE-2026-20841 — Windows Notepad App Remote Code Execution Vulnerability. Command injection vulnerability in Notepad when processing specially crafted Markdown links.
• CVE-2026-21241 — Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability.
• CVE-2026-21508 — Windows Storage Elevation of Privilege Vulnerability.

Conclusion

Although the March update appears calmer than February due to the absence of active zero‑day exploitation, it still presents serious risks for server environments.

• Databases and runtime environments: Patch CVE‑2026‑21262 (SQL Server) and CVE‑2026‑26127 (.NET) first.
• Domain controllers and management infrastructure: Update Active Directory and SCOM systems.
• Corporate portals: SharePoint servers require urgent patching due to RCE vulnerabilities.
• Workstations: Do not forget Office and Excel patches which remain a major phishing attack vector.