March 2026 Patch Tuesday: Urgent Windows Updates, Zero Days, and EoP Fixes

Microsoft’s March Patch Tuesday landed this week with another heavy set of fixes — security teams should stop what they’re doing, check their inventory, install updates and restart affected machines as soon as practical. The rollout patches dozens of vulnerabilities across Windows, Office, SQL Server, .NET runtimes and cloud tooling, and contains multiple high-severity issues and two publicly disclosed zero-day vulnerabilities that shorten the safe window for defenders. Whether you run a single laptop at home or a global enterprise estate, this is a patch cycle you cannot ignore.

Background / Overview​

Microsoft released its monthly security updates as part of the Patch Tuesday cadence in early March 2026. Security vendors and incident response teams converged on the same core message: this release addresses roughly eighty-some distinct CVEs, includes several critical remote code execution (RCE) flaws, a high-scoring RCE that Microsoft has mitigated server-side, and two publicly disclosed zero-day vulnerabilities of particular operational interest.
Counting and classification vary between vendor writeups — trackers reported between 79 and 84 Microsoft CVEs depending on whether third‑party Chromium/other bundled fixes were included — but independent coverage from multiple responder and vendor firms confirms the key operational facts:

• Multiple critical remote code execution vulnerabilities are fixed.
• Two vulnerabilities were publicly disclosed before a patch was available (technically “zero-day” disclosures).
• Several elevation-of-privilege (EoP) flaws dominate the list, a common pattern that increases the impact of a successful initial compromise.
• Microsoft and third-party vendors recommend immediate patching, with mitigations for cases where immediate patching is infeasible.

Because some of the patched flaws can be chained (initial foothold → privilege escalation → lateral movement), defenders should treat this month’s updates as not only urgent for systems directly targeted by the CVEs, but also as critical hardening for reducing post-compromise attack surface.

---

What the headlines mean — the high‑risk items explained​

Two publicly disclosed “zero-day” vulnerabilities​

Two CVEs tied to this release were publicly disclosed prior to the availability of a patch. Public disclosure matters because it makes exploit details, PoCs or proven attack techniques visible to attackers who can weaponize them quickly. The two most notable are:

• CVE-2026-21262 (SQL Server — Elevation of Privilege, CVSS ~8.8): An improper access control issue in SQL Server that could allow a low‑privilege or authenticated attacker to escalate to sysadmin-level privileges. It requires authentication to exploit, but if weaponized it provides full control of a database instance and therefore is high priority for organizations running on-premises SQL Server workloads.
• CVE-2026-26127 (.NET — Denial of Service / out-of-bounds read): A cross‑platform .NET runtime vulnerability that can be triggered by crafted input to cause crashes and service disruption. Although DoS is not code execution, this flaw affects runtime stability for .NET 9.0/10.0 and can be particularly damaging for clustered services and high‑availability applications.

Operational note: while both were publicly disclosed, multiple vendors assessed that exploitation was less likely in the wild at the time of release — but “less likely” is not “no risk.” Public disclosure alone shortens defenders’ reaction time; treat these items as urgent.

Critical remote code execution and AI/Copilot-related information‑exfiltration​

This month’s roll-up also fixes several RCEs and an unusual information‑disclosure pattern tied to Microsoft’s Copilot functionality in Office:

• CVE-2026-21536 (Devices Pricing Program — RCE, CVSS 9.8): A very high‑severity RCE that scored near the top of the scale. Microsoft has indicated it fully mitigated the issue on the service side for cloud deployments. On-prem or locally hosted variants should still apply updates immediately.
• CVE-2026-26144 (Excel + Copilot — Critical info disclosure / XSS): Microsoft rated an Excel web‑rendering/XSS issue as critical because, in certain configurations with Copilot Agent enabled, an attacker can cause the agent to initiate unintended outbound network activity, potentially exfiltrating data without any user interaction — a so‑called zero-click exfiltration scenario. This novel attack surface highlights how AI assistants integrated into productivity applications add new risks that defenders must address immediately.
• Office preview‑pane RCEs (examples: CVE-2026-26110 and CVE-2026-26113): Multiple Office vulnerabilities allow RCE via the Windows Explorer preview pane; that means a malicious file can trigger an exploit before a user consciously opens it. If you cannot patch immediately, disabling the preview pane is a pragmatic short-term mitigation.

Heavy concentration of elevation‑of‑privilege (EoP) bugs​

Across the release, a large fraction of the fixes are EoP vulnerabilities in components such as Windows Graphics, Accessibility Infrastructure, Windows Kernel, SMB Server and Winlogon. Security firms noted that roughly half the CVEs are EoP, and several were flagged as “exploitation more likely” by commercial trackers.
Why that matters: EoP flaws are commonly used as the second step in a longer attack chain. An attacker gains an initial foothold via phishing, exposed RCEs, or credential theft — then uses EoP bugs to escalate privileges and move laterally. Reducing the window for exploitation of EoP vulnerabilities is therefore essential for stopping ransomware and sophisticated intrusion campaigns.

---

Why you should check and restart your PC now​

Patching is only effective once updates are installed and the system is restarted. Cumulative Windows updates often replace in‑use kernel components and services that only become fully protected after a reboot. Beyond that:

• Several Office and Windows preview‑pane issues enable no‑click or preview‑pane exploitation, meaning a user need not open a document to be affected. Reboot plus patched binaries closes those attack paths.
• Server-side mitigations exist for some cloud services, but many organizations run on‑premise software that still requires manual patching and restarts.
• Public disclosure of two vulnerabilities means adversaries could already be testing exploits against unpatched targets — every day unpatched increases risk.

If you use Windows Update and automatic reboots are disabled, perform a manual check and choose a restart window within the next 24 hours.

---

Practical step‑by‑step patching plan (home users and small businesses)​

• Check Windows Update now: Start > Settings > Windows Update > Check for updates. Install available security updates and restart immediately.
• If you use Microsoft Office (desktop apps), ensure Office updates are installed via the Office update channel (Microsoft 365 / Office update mechanism) and restart after updates complete.
• If you have Microsoft 365 Copilot enabled or you’re running Excel with Copilot Agent features, consider temporarily disabling Copilot Agent or restricting Copilot’s network access until updates are applied and validated.
• If you cannot patch immediately: disable the Windows Explorer preview pane (View > Preview pane) and avoid opening Office files from untrusted sources.
• Update the .NET runtime(s) and any developer stacks on your machine (especially if you run .NET 9.0 or 10.0 runtimes).
• Verify antivirus/endpoint protection is updated and configured to scan downloads and attachments.

Short guidance for restarts: many updates will show “pending restart” and will not complete until a reboot happens. A scheduled restart later is safer than not restarting at all — schedule within business hours but minimize delay.

---

Operational checklist for administrators and enterprises​

• Inventory first: enumerate exposed SQL Server instances, public-facing Windows servers (RRAS, SMB, Remote Desktop roles), on‑prem Azure/agent components (MCP), and systems with Copilot/AI agent deployment.
• Prioritize by exposure and criticality:
• Internet‑facing servers and services (SQL Server reachable from outside, RRAS/VPN endpoints).
• Domain controllers, Hyper‑V hosts, and systems that host business-critical apps.
• Endpoints with broad data access or administrative reach.
• Apply patches to test/dev first, validate key business applications, then push to production. For many organizations, a rolling patch window (canary -> pilot -> full) mitigates the risk of blocker issues while delivering security fixes quickly.
• For SQL Server: apply the published cumulative updates or GDRs that contain CVE‑2026‑21262; where immediate patching is impossible, consider restricting SQL logins, isolating instances, and monitoring for unusual privilege escalation attempts.
• For .NET services: update runtime binaries to the patched versions; for containerized or cloud builds, rebuild images with updated runtimes and redeploy.
• Disable or restrict features temporarily:
• Preview Pane for file servers and desktop pools.
• Copilot Agent network egress for Excel/Office in high‑risk environments until patches are validated.
• Use existing EDR and logging to hunt for indicators of exploitation:
• Unusual SQL sysadmin privilege escalation events.
• Unexpected process crashes (possible exploitation attempts of .NET DoS).
• Unusual Copilot/Excel network connections or data egress patterns.
• Communicate with stakeholders: notify help desks and service owners about the update schedule, planned restarts, and temporary mitigations.

---

Quick mitigations for the most urgent attack paths​

• Disable the Windows Explorer Preview Pane until Office/Explorer patches are applied.
• Restrict network exposure of SQL Server instances; block remote access to SQL instances unless explicitly required and firewall them behind VPN.
• Limit administrative logons to hardened jump hosts and enforce MFA for any administrative accounts that could be targeted for EoP chaining.
• For systems running .NET services that are Internet‑facing, add request throttling and circuit breakers to reduce impact of DoS‑style exploits until patched.
• If Copilot is enabled across your fleet, consider a temporary policy to block outbound traffic originating from Office processes until the Excel/Copilot fix is applied.

---

Testing, monitoring and rollback considerations​

Patches occasionally introduce regressions. Follow these best practices:

• Maintain a minimal canary group that reflects real production workloads. Test critical business applications and integrations immediately after applying updates.
• Record baseline metrics and logs pre‑patch so you can quickly detect regressions or performance anomalies.
• For servers where a patched binary causes instability in production, have rollback plans and test those rollbacks in a separate environment. Rolling back Windows cumulative security updates is nontrivial and may require manual steps; don’t assume rollback will be seamless.
• Keep crash dumps and EDR telemetry from systems that show unexplained crashes — these are valuable for post‑incident analysis and for vendors if a patch causes unforeseen behavior.
• Update asset inventory and patch status dashboards in real time; track which hosts still require reboot.

---

Threat modeling — how attackers could use these flaws​

Defenders should assume adversaries will try to chain vulnerabilities. Likely scenarios:

• Phishing or exposed RCE → initial code execution on a host → exploit a local EoP (Winlogon/Graphics/Kernel) → escalate to SYSTEM → lateral movement to domain controllers or SQL servers → deploy ransomware or steal data.
• Compromise of a user with access to a SQL instance → use CVE‑2026‑21262 to escalate to sysadmin → exfiltrate or manipulate database content.
• Malicious spreadsheet delivered via email → Excel Copilot XSS triggers Copilot to exfiltrate content silently (zero‑click) when Copilot Agent is present — this removes user interaction from the attacker’s workflow and complicates detection.

The bottom line: even if a critical flaw is not being actively exploited at the time of release, the combination of public disclosure and the presence of EoP bugs makes rapid, prioritized patching essential.

---

What’s new and what’s different this month​

Two items stand out in this Patch Tuesday cycle:

• The Copilot/AI agent attack surface has become a practical consideration. The Excel XSS leading to potential Copilot exfiltration is a fresh class of risk — productivity features that act on content autonomously add systemic risk if not carefully sandboxed and updated.
• A continued emphasis on privilege‑escalation fixes. This release reinforces a trend: attackers increasingly rely on EoP bugs as the pivot from a foothold to full compromise. That pattern elevates the operational priority of local privilege hardening and patching.

Security teams should therefore not only apply patches but review feature enablement policies for AI assistants and review privilege separation and least‑privilege enforcement.

---

Discrepancies in reporting — why some sites say 83 and others 84 (caveat for readers)​

Readers will see slight differences in how many CVEs were reported for this month. That is normal: vendors and aggregators sometimes count Microsoft‑patched third‑party components (e.g., Chromium or bundled libraries) differently from Microsoft’s own tracked CVEs. Timezones and release timing (MSRC interactive guide updates vs. press releases) can also make the published counts vary by one or two. The security takeaways remain the same: multiple high‑severity CVEs and two public disclosures — treat the release as urgent regardless of whether the tally is 79, 83 or 84.
Where a claim about active exploitation is made, treat it cautiously: Microsoft and many vendor trackers indicated no confirmed active exploitation for the zero-days at the time of publication, though the mere public disclosure increases risk for unpatched systems.

---

Long‑term hardening recommendations​

• Enforce least privilege and remove local administrator rights from endpoints where possible. EoP vulnerabilities become far more dangerous where users routinely have local admin access.
• Segment critical services: database servers, Active Directory Domain Controllers, and jump hosts should be on segmented networks with restrictive ACLs and monitored access.
• Harden Office attack surface: disable autorun/preview features where corporate policy allows, and use application control to limit what Office macros and add-ins can do.
• Adopt immutable infrastructure practices for cloud workloads (rebuilt containers/VM images with secure baselines) so runtime vulnerabilities are quickly corrected by redeploying patched images.
• Regularly test incident response playbooks that combine detection of initial compromise and EoP exploitation — tabletop exercises that explicitly model privilege escalation scenarios will reveal procedural gaps.
• Treat AI assistants and integrations as high‑risk services: review data access scopes, network egress rules and the telemetry they emit.

---

Final verdict — the tradeoffs and risks​

This Patch Tuesday is another reminder that modern ecosystems change the threat calculus: feature-rich productivity platforms and AI agents provide major user productivity gains, but they also expand the attack surface. The fixed vulnerabilities include both traditional attack classes (RCE, EoP, DoS) and new, AI‑adjacent scenarios (Copilot exfiltration).

• Strengths in Microsoft’s response this month: quick release of patches, service-side mitigation for at least one critical server‑side RCE, and detailed advisories with per‑component guidance.
• Remaining risks: public disclosure of two vulnerabilities, many EoP bugs that are attractive for post‑compromise activity, and novel exfiltration channels that require defenders to rethink network controls and data leakage detection.

In short: the practical, defensible choice is to patch aggressively, restart machines to complete installs, apply compensating controls where immediate patching isn’t possible (disable Preview Pane, restrict SQL exposure, limit Copilot agent network egress), and monitor aggressively for signs of privilege escalation or unexpected data egress. Delay increases risk; act now.

---

Conclusion
Windows users and administrators should treat the March 2026 Patch Tuesday release as an urgent operational priority. Start with a full inventory, prioritize internet‑facing and critical servers (SQL Server, domain controllers, public services), deploy updates to test groups and then widely, and restart each machine once updates are installed. If you can’t patch immediately, apply short‑term mitigations (disable preview pane, isolate SQL instances, restrict Copilot egress), then patch at the earliest possible window. The mix of high‑severity RCEs, two publicly disclosed zero‑days, and a rash of privilege‑escalation fixes means this is not a “wait until next week” situation — it’s time to update, reboot and harden.

---

Source: Express.co.uk Everyone using Windows urged to check their PCs and restart them now | Express.co.uk