March 2026 Patch Tuesday: 77 Fixes, Zero Active Exploits
Microsoft's March 2026 Patch Tuesday delivered security updates addressing 77 CVEs across Windows, Office, SQL Server, .NET, and other products. In a rare reprieve compared to February's five-zero-day release, no vulnerabilities are confirmed as actively exploited in the wild this cycle — though two publicly disclosed CVEs were included.
Despite the absence of active zero-days, several patches carry meaningful urgency for organizations running internet-facing or enterprise-critical infrastructure.
Highlight Vulnerabilities
CVE-2026-21262 — SQL Server Privilege Escalation to Sysadmin
The most impactful patch for enterprise environments addresses a privilege escalation vulnerability in Microsoft SQL Server 2016 SP3 through SQL Server 2025. An authenticated attacker exploiting CVE-2026-21262 can escalate to sysadmin role over the network — the highest privilege level in SQL Server, enabling full database access, command execution via xp_cmdshell, and lateral movement.
| Field | Details |
|---|---|
| CVE | CVE-2026-21262 |
| Product | SQL Server 2016 SP3 – SQL Server 2025 |
| Impact | Privilege Escalation to sysadmin |
| Attack Vector | Network (no physical access required) |
| Authentication | Required (low privilege) |
| Priority | High — patch immediately for internet-facing SQL instances |
Organizations running SQL Server instances accessible from internal networks or, worse, exposed to the internet, should prioritize this patch above others in the March cycle.
CVE-2026-26113 & CVE-2026-26110 — Office RCE via Preview Pane
Two remote code execution vulnerabilities in Microsoft Office can be triggered through the Outlook Preview Pane — meaning no file execution, no macro approval, and no further user interaction beyond previewing a malicious document.
Preview Pane RCEs represent a particularly dangerous class because many users consider previewing (not opening) a document safe. Security awareness training often draws this distinction, making these bugs especially suitable for social engineering campaigns.
Both CVEs are rated as "exploitation more likely" by Microsoft. Organizations using Office in environments where external emails with attachments are common should treat these as priority patches.
CVE-2026-26144 — Excel/Copilot Information Disclosure
This flaw affects Microsoft Excel when Copilot Agent mode is active. The vulnerability can cause Copilot to exfiltrate data via unintended network egress — described in analyses as a zero-click information disclosure attack. Notably, this is the first publicly documented case of an AI assistant feature being the proximate cause of data exfiltration through a CVE.
The flaw underscores an emerging challenge: as AI assistants are integrated deeper into productivity software, they expand the attack surface in novel ways that may not be covered by traditional security controls.
CVE-2026-21536 — AI-Discovered RCE (CVSS 9.8)
Perhaps the most historically notable CVE in this cycle: CVE-2026-21536 in the Microsoft Devices Pricing Program was discovered by XBOW, an autonomous AI penetration testing system developed by Horizon3.ai. This is among the first CVEs publicly credited to an autonomous AI agent rather than a human researcher.
The vulnerability carries a CVSS score of 9.8 and requires no source code access to discover or exploit. No authentication is required. Its presence in a March cycle with no zero-days may suggest the AI discovery → disclosure → patch pipeline is beginning to compress timelines for vendors.
Privilege Escalation Concentration
Approximately 55% of the March cycle consists of privilege escalation vulnerabilities. Tenable's Satnam Narang highlighted six EoP bugs rated "exploitation more likely" across:
- Windows Graphics Component
- Windows Accessibility Infrastructure
- Windows Kernel
- Windows SMB Server
- Windows Winlogon
This concentration is consistent with a post-initial-access exploitation pattern, where attackers who have already established a foothold seek local privilege escalation to move laterally or establish persistence.
Full Scope Summary
| Category | Count |
|---|---|
| Privilege Escalation | ~43 |
| Remote Code Execution | ~15 |
| Information Disclosure | ~10 |
| Denial of Service | ~5 |
| Security Feature Bypass | ~4 |
| Total | 77 |
Notable Context: Adjacent Patches
Microsoft shipped additional fixes outside the formal Tuesday count:
- 9 browser patches (not included in the 77 CVE count)
- Out-of-band fix (March 2) for a Windows Server 2022 bug breaking Windows Hello for Business certificate renewal
- Adobe separately patched 80 vulnerabilities on the same day, including CVE-2026-34621 in Acrobat Reader — an actively exploited zero-day (see related coverage)
Patch Prioritization Guidance
For most organizations, the recommended patch priority order this cycle:
- CVE-2026-21262 (SQL Server → sysadmin EoP) — network-accessible, high impact
- CVE-2026-26113 / CVE-2026-26110 (Office Preview Pane RCE) — low barrier, social engineering risk
- CVE-2026-21536 (CVSS 9.8 RCE) — critical score, AI-discovered
- CVE-2026-26144 (Copilot data exfiltration) — novel AI-adjacent attack surface
- Windows Kernel / SMB / Winlogon EoP bugs — post-exploitation risk