{"id":226,"date":"2026-03-11T10:05:37","date_gmt":"2026-03-11T10:05:37","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=226"},"modified":"2026-03-11T10:05:37","modified_gmt":"2026-03-11T10:05:37","slug":"microsoft-patches-84-flaws-in-march-patch-tuesday-including-two-public-zero-days","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=226","title":{"rendered":"Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days"},"content":{"rendered":"
\n
<\/a><\/div>\n

Microsoft on Tuesday released patches for a set of 84 new security vulnerabilities<\/a> affecting various software components, including two that have been listed as publicly known.<\/p>\n

Of these, eight are rated Critical, and 76 are rated Important in severity. Forty-six of the patched vulnerabilities relate to privilege escalation, followed by 18 remote code execution, 10 information disclosure, four spoofing, four denial-of-service, and two security feature bypass flaws.<\/p>\n

The fixes are in addition to 10 vulnerabilities<\/a> that have been addressed in its Chromium-based Edge browser since the release of the February 2026 Patch Tuesday update.<\/p>\n

The two publicly disclosed zero-days are CVE-2026-26127<\/a> (CVSS score: 7.5), a denial-of-service vulnerability in .NET, and CVE-2026-21262<\/a> (CVSS score: 8.8), an elevation of privilege vulnerability in SQL Server.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The vulnerability with the highest CVSS score in this month’s update is a critical remote code execution flaw in the Microsoft Devices Pricing Program. CVE-2026-21536<\/a> (CVSS score: 9.8), per Microsoft, has been fully mitigated, and no action is required from users. Artificial intelligence (AI)-powered autonomous vulnerability discovery platform XBOW has been credited with discovering and reporting the issue.<\/p>\n

\u00abThis month, over half (55%) of all Patch Tuesday CVEs were privilege escalation bugs, and of those, six were rated exploitation more likely across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon,\u00bb Satnam Narang, senior staff research engineer at Tenable, said.<\/p>\n

\u00abWe know these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means (social engineering, exploitation of another vulnerability).\u00bb<\/p>\n

<\/p>\n

The Winlogon privilege escalation flaw (CVE-2026-25187<\/a>, CVSS score: 7.8), in particular, leverages improper link resolution to obtain SYSTEM privileges. Google Project Zero researcher James Forshaw has been acknowledged for reporting the vulnerability.<\/p>\n

\u00abThe flaw allows a locally authenticated attacker with low privileges to exploit a link-following condition in the Winlogon process and escalate to SYSTEM privileges,\u00bb Jacob Ashdown, cybersecurity engineer at Immersive, said. \u00abThe vulnerability requires no user interaction and has low attack complexity, making it a straightforward target once an attacker gains a foothold.\u00bb<\/p>\n

Another vulnerability of note is CVE-2026-26118<\/a> (CVSS score: 8.8), a server-side request forgery bug in the Azure Model Context Protocol (MCP) server that could allow an authorized attacker to elevate privileges over a network.<\/p>\n

\u00abAn attacker could exploit this issue by sending specially crafted input to an Azure Model Context Protocol (MCP) Server tool that accepts user\u2011provided parameters,\u00bb Microsoft said.<\/p>\n

\u00abIf the attacker can interact with the MCP\u2011backed agent, they can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, may include its managed identity token. This allows the attacker to capture that token without requiring administrative access.\u00bb<\/p>\n

Successful exploitation of the vulnerability could permit an attacker to obtain the permissions associated with the MCP Server’s managed identity. The attacker could then leverage this behavior to access or perform actions on any resources that the managed identity is authorized to reach.<\/p>\n

Among the Critical-severity bugs resolved by Microsoft is an information disclosure flaw in Excel. Tracked as CVE-2026-26144<\/a> (CVSS score of 7.5), it has been described as a case of cross-site scripting that occurs as a result of improper neutralization of input during web page generation.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The Windows maker said an attacker who exploited the shortcoming could potentially cause Copilot Agent mode to exfiltrate data as part of a zero-click attack.<\/p>\n

\u00abInformation disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records,\u00bb Alex Vovk, CEO and co-founder of Action1, said in a statement.<\/p>\n

\u00abIf exploited, attackers could silently extract confidential information from internal systems without triggering obvious alerts. Organizations using AI-assisted productivity features may face increased exposure, as automated agents could unintentionally transmit sensitive data outside corporate boundaries.\u00bb<\/p>\n

The patches come as Microsoft said it’s changing the default behavior of Windows Autopatch by enabling hotpatch security updates to help secure devices at a faster pace.<\/p>\n

\u00abThis change in default behavior comes to all eligible devices in Microsoft Intune and those accessing the service via Microsoft Graph API starting with the May 2026 Windows security update,\u00bb Redmond said<\/a>. \u00abApplying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, while you remain in control.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Microsoft on Tuesday released patches for a set of 84 new security vulnerabilities affecting various software components, including two that have been listed as publicly known. Of these, eight are…<\/p>\n","protected":false},"author":1,"featured_media":227,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[11,584,583,147,348,57,328,349,53],"class_list":["post-226","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-flaws","tag-including","tag-march","tag-microsoft","tag-patch","tag-patches","tag-public","tag-tuesday","tag-zerodays"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=226"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/226\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/227"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}