Full Report
8Critical75Important0Moderate0LowMicrosoft addresses 83 CVEs including two vulnerabilities that were publicly disclosed prior to a patch being released.Microsoft patched 83 CVEs in its March 2026 Patch Tuesday release, with eight rated critical and 75 rated as important. Our counts omitted one CVE (CVE-2026-26030) assigned by GitHub.This month’s update includes patches for:.NETASP.NET CoreActive Directory Domain ServicesAzure ArcAzure Compute GalleryAzure Entra IDAzure IoT ExplorerAzure Linux Virtual MachinesAzure MCP ServerAzure Portal Windows Admin CenterAzure Windows Virtual Machine AgentBroadcast DVRConnected Devices Platform Service (Cdpsvc)Microsoft AuthenticatorMicrosoft Brokering File SystemMicrosoft Devices Pricing ProgramMicrosoft Graphics ComponentMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office SharePointPayment Orchestrator ServicePush Message Routing ServiceRole: Windows Hyper-VSQL ServerSystem Center Operations ManagerWindows Accessibility Infrastructure (ATBroker.exe)Windows Ancillary Function Driver for WinSockWindows App InstallerWindows Authentication MethodsWindows Bluetooth RFCOM Protocol DriverWindows DWM Core LibraryWindows Device Association ServiceWindows Extensible File AllocationWindows File ServerWindows GDIWindows GDI+Windows KerberosWindows KernelWindows MapUrlToZoneWindows Mobile BroadbandWindows NTFSWindows Performance CountersWindows Print Spooler ComponentsWindows Projected File SystemWindows Resilient File System (ReFS)Windows Routing and Remote Access Service (RRAS)Windows SMB ServerWindows Shell Link ProcessingWindows System Image ManagerWindows Telephony ServiceWindows Universal Disk Format File System Driver (UDFS)Windows Win32KWinlogonElevation of privilege (EoP) vulnerabilities accounted for 55.4% of the vulnerabilities patched this month, followed by remote code execution (RCE)vulnerabilities at 20.5%.ImportantCVE-2026-21262, CVE-2026-26115 and CVE-2026-26116 | SQL Server Elevation of Privilege VulnerabilityCVE-2026-21262, CVE-2026-26115 and CVE-2026-26116 are EoP vulnerabilities affecting Microsoft SQL Server. Each of these flaws received a CVSSv3 score of 8.8 and were rated as important. While each of these were assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index, CVE-2026-21262 was publicly disclosed as a zero-day. While no exploitation has been reported by Microsoft, a successful exploit of any one of these three flaws would result in an attacker gaining SQL sysadmin privileges.ImportantCVE-2026-26127 |.NET Denial of Service VulnerabilityCVE-2026-26127 is a denial of service (DoS) vulnerability affecting.NET 9.0 and 10.0 on Windows, Mac OS and Linux. It received a CVSSv3 score of 7.5 and was rated as important. According to Microsoft, this vulnerability was publicly disclosed prior to patches being made available. Although it was publicly disclosed, Microsoft assesses that exploitation is unlikely for this DoS vulnerability..NET updates this month also include patches to address CVE-2026-26131, an important severity EoP vulnerability for.NET 10 installations on Linux.ImportantCVE-2026-24287, CVE-2026-24289 and CVE-2026-26132 | Windows Kernel Elevation of Privilege VulnerabilityCVE-2026-24287, CVE-2026-24289 and CVE-2026-26132 are EoP vulnerabilities in the Windows Kernel. Each was assigned CVSSv3 scores of 7.8 and rated important. A local, authenticated attacker could exploit these vulnerabilities in order to gain SYSTEM privileges. While Microsoft reports no evidence of exploitation, it did assess CVE-2026-24289 and CVE-2026-26132 as “Exploitation More Likely.” Including these three CVEs, six EoPs affecting Windows Kernel have been patched so far in 2026.ImportantCVE-2026-26118 | Azure MCP Server Tools Elevation of Privilege VulnerabilityCVE-2026-26118 is an EoP vulnerability in Azure Model Context Protocol (MCP) Server. An attacker could exploit this vulnerability by sending a crafted input to a vulnerable Azure MCP Server that accepts user-provided parameters. Successful exploitation would grant an attacker to elevate privileges using an obtained managed identity token.MCP, an open standard introduced in 2024 by Anthropic, is used to allow large language models (LLMs) to connect to external data and tools. For more information on MCP, please check out our FAQ blog on Model Context Protocol (MCP) and Integrating with AI for Agentic Applications as well Tenable Research’s AI Security blog examining web flaws in MCP servers.CriticalCVE-2026-26110 and CVE-2026-26113 | Microsoft Office Remote Code Execution VulnerabilityCVE-2026-26110 and CVE-2026-26113 are RCE vulnerabilities affecting Microsoft Office. Both received CVSSv3 scores of 8.4 and were rated as critical. A local, unauthenticated attacker could exploit these vulnerabilities to achieve local code execution. Microsoft notes that the preview pane is an attack vector for these flaws and both CVEs were assessed as “Exploitation Less Likely.”Tenable SolutionsA list of all the plugins released for Microsoft’s March 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft's March 2026 Security UpdatesTenable plugins for Microsoft March 2026 Patch Tuesday Security UpdatesJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Microsoft March 2026 Patch Tuesday Summary
## CVE Details
- **CVE IDs**:
- **Zero-Days (Publicly Disclosed):** CVE-2026-21262, CVE-2026-26127
- **Critical RCE:** CVE-2026-26110, CVE-2026-26113
- **Other High-Impact:** CVE-2026-26115, CVE-2026-26116, CVE-2026-24287, CVE-2026-24289, CVE-2026-26132, CVE-2026-26118
- **CVSS Scores**: 7.5 to 8.8
- **Severity**: Critical (8 CVEs) and Important (75 CVEs)
- **CWE**: Not explicitly listed; primary categories are Elevation of Privilege (55.4%) and Remote Code Execution (20.5%).
## Affected Systems
- **Products**:
- Microsoft SQL Server
- .NET (9.0, 10.0)
- Windows Kernel
- Azure Model Context Protocol (MCP) Server
- Microsoft Office (Excel, SharePoint, etc.)
- Windows OS Components (Win32K, Print Spooler, SMB Server, GDI, etc.)
- **Versions**: Various, including .NET 10 on Linux and Windows Kernel (multiple versions).
- **Configurations**: SQL Server instances with standard user access; Azure MCP Servers accepting user-provided parameters; Microsoft Office installations using the Preview Pane.
## Vulnerability Description
This patch cycle addresses 83 CVEs. Key flaws include:
- **SQL Server EoP:** Exploitation allows an attacker to gain **sysadmin** privileges.
- **.NET DoS:** A flaw in .NET 9.0/10.0 allowing remote denial of service across Windows, Mac, and Linux.
- **Azure MCP Server EoP:** Exploitation involves sending crafted input to obtain a managed identity token, leveraging an open standard for LLM data connectivity.
- **Office RCE:** Flaws in how Office handles data, specifically reachable through the **Preview Pane** vector.
## Exploitation
- **Status**:
- **Publicly Disclosed (Zero-Day):** CVE-2026-21262 (SQL) and CVE-2026-26127 (.NET).
- **Likely to be exploited:** CVE-2026-24289 and CVE-2026-26132 (Kernel EoP).
- **Complexity**: Varies (Low for local EoPs).
- **Attack Vector**: Network (Office RCE/Azure MCP/DoS) and Local (Kernel/SQL EoP).
## Impact
- **Confidentiality**: **High** (Privilege escalation to SYSTEM or sysadmin).
- **Integrity**: **High** (Ability to run arbitrary code and modify system/database state).
- **Availability**: **High** (Network-based Denial of Service for .NET applications).
## Remediation
### Patches
- Microsoft recommends applying the **March 2026 Security Updates** immediately via Windows Update or the Microsoft Update Catalog.
- Specific updates for .NET 10 and SQL Server must be applied to address the disclosed zero-days.
### Workarounds
- No specific workarounds were detailed in the brief; however, for Office RCEs, disabling the **Preview Pane** in Windows Explorer may reduce the attack surface.
## Detection
- **Indicators of Compromise**: Monitor for unauthorized execution of SQL sysadmin commands and unusual Managed Identity token requests in Azure.
- **Detection Tools**: Tenable plugins are available for scanning and identifying unpatched systems from the March 2026 release.
## References
- **Vendor Advisory**: hxxps://msrc[.]microsoft[.]com/update-guide/en-us/releaseNote/2026-Mar
- **Tenable Analysis**: hxxps://www[.]tenable[.]com/blog/microsofts-march-2026-patch-tuesday-addresses-83-cves-cve-2026-21262-cve-2026-26127