Microsoft March 2026 Patch Tuesday Fixes 78 Vulnerabilities Including SQL Server Zero-Day
Microsoft's March 2026 Patch Tuesday addresses 78 vulnerabilities across Windows, Office, Azure, SQL Server, and .NET — including CVE-2026-21262, a zero-day in SQL Server that lets authenticated users escalate to sysadmin privileges, and critical remote code execution flaws in Office.
Microsoft's March 2026 Patch Tuesday addresses 78 vulnerabilities across Windows, Microsoft Office, Azure, SQL Server, and .NET — including CVE-2026-21262, a zero-day in SQL Server that allows authenticated users to escalate privileges to sysadmin level, and critical remote code execution flaws in Microsoft Office.
SQL Server Zero-Day
The most urgent fix is CVE-2026-21262, the sole confirmed zero-day in this release. The vulnerability exists in SQL Server's privilege handling mechanism and allows a user with basic database access to escalate their privileges to the sysadmin role — effectively gaining full control of the database server. The flaw is classified as "Exploitation Detected," confirming that attackers have already used it in real-world attacks. Organizations running SQL Server should prioritize this patch, particularly for internet-accessible database servers.
Office Remote Code Execution
Two critical remote code execution vulnerabilities in Microsoft Office — CVE-2026-26113 and CVE-2026-26110 — allow attackers to execute malicious code through specially crafted documents. While Microsoft's analysis indicates that functional exploit code is currently unproven for CVE-2026-26110, the preview pane is listed as an attack vector for both flaws, meaning that simply previewing a malicious document in Outlook or File Explorer could trigger exploitation without the user explicitly opening the file.
Additional Fixes
The remaining patches address vulnerabilities across Azure services, Windows kernel components, the Remote Desktop Protocol, and various Windows subsystems. Six vulnerabilities are flagged as "more likely" to be exploited, indicating that Microsoft's security team assesses a higher probability of near-term exploitation based on the vulnerability characteristics. Organizations should apply the full patch set as soon as testing permits, with priority given to the SQL Server zero-day and Office RCE vulnerabilities.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.