Microsoft Patch Tuesday, March 2026 Version – Krebs on Safety

Microsoft Corp. right this moment pushed safety updates to repair at the least 77 vulnerabilities in its Home windows working programs and different software program. There are not any urgent “zero-day” flaws this month (in comparison with February’s 5 zero-day deal with), however as standard some patches might deserve extra fast consideration from organizations utilizing Home windows. Listed here are a number of highlights from this month’s Patch Tuesday.

Picture: Shutterstock, @nwz.

Two of the bugs Microsoft patched right this moment had been publicly disclosed beforehand. CVE-2026-21262 is a weak spot that permits an attacker to raise their privileges on SQL Server 2016 and later editions.

“This isn’t simply any elevation of privilege vulnerability, both; the advisory notes that a licensed attacker can elevate privileges to sysadmin over a community,” Rapid7’s Adam Barnett stated. “The CVSS v3 base rating of 8.8 is just under the brink for vital severity, since low-level privileges are required. It could be a brave defender who shrugged and deferred the patches for this one.”

The opposite publicly disclosed flaw is CVE-2026-26127, a vulnerability in purposes working on .NET. Barnett stated the speedy affect of exploitation is probably going restricted to denial of service by triggering a crash, with the potential for different varieties of assaults throughout a service reboot.

It could hardly be a correct Patch Tuesday with out at the least one vital Microsoft Workplace exploit, and this month doesn’t disappoint. CVE-2026-26113 and CVE-2026-26110 are each distant code execution flaws that may be triggered simply by viewing a booby-trapped message within the Preview Pane.

Satnam Narang at Tenable notes that simply over half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of these, a half dozen had been rated “exploitation extra doubtless” — throughout Home windows Graphics Element, Home windows Accessibility Infrastructure, Home windows Kernel, Home windows SMB Server and Winlogon. These embody:

–CVE-2026-24291: Incorrect permission assignments inside the Home windows Accessibility Infrastructure to succeed in SYSTEM (CVSS 7.8)
–CVE-2026-24294: Improper authentication within the core SMB element (CVSS 7.8)
–CVE-2026-24289: Excessive-severity reminiscence corruption and race situation flaw (CVSS 7.8)
–CVE-2026-25187: Winlogon course of weak spot found by Google Venture Zero (CVSS 7.8).

Ben McCarthy, lead cyber safety engineer at Immersive, known as consideration to CVE-2026-21536, a vital distant code execution bug in a element known as the Microsoft Gadgets Pricing Program. Microsoft has already resolved the difficulty on their finish, and fixing it requires no motion on the a part of Home windows customers. However McCarthy says it’s notable as one of many first vulnerabilities recognized by an AI agent and formally acknowledged with a CVE attributed to the Home windows working system. It was found by XBOW, a totally autonomous AI penetration testing agent.

XBOW has constantly ranked at or close to the highest of the Hacker One bug bounty leaderboard for the previous 12 months. McCarthy stated CVE-2026-21536 demonstrates how AI brokers can establish vital 9.8-rated vulnerabilities with out entry to supply code.

“Though Microsoft has already patched and mitigated the vulnerability, it highlights a shift towards AI-driven discovery of advanced vulnerabilities at rising velocity,” McCarthy stated. “This improvement suggests AI-assisted vulnerability analysis will play a rising function within the safety panorama.”

Microsoft earlier supplied patches to handle 9 browser vulnerabilities, which aren’t included within the Patch Tuesday rely above. As well as, Microsoft issued a vital out-of-band (emergency) update on March 2 for Home windows Server 2022 to handle a certificates renewal concern with passwordless authentication know-how Home windows Howdy for Enterprise.

Individually, Adobe shipped updates to repair 80 vulnerabilities — a few of them vital in severity — in a variety of products, together with Acrobat and Adobe Commerce. Mozilla Firefox v. 148.0.2 resolves three excessive severity CVEs.

For a whole breakdown of all of the patches Microsoft launched right this moment, try the SANS Web Storm Middle’s Patch Tuesday post. Home windows enterprise admins who want to keep abreast of any information about problematic updates, AskWoody.com is at all times value a go to. Please be at liberty to drop a remark beneath when you expertise any points apply this month’s patches.