Microsoft Patch Tuesday: 80 Fixes for Office and SQL Server
Microsoft’s March Patch Tuesday has arrived, bringing nearly 80 fixes for everything from your Excel spreadsheets to the heart of corporate SQL servers. While we dodged the chaos of active zero-day attacks this month, don’t let your guard down just yet.
Office Flaws: A Simple Hack
Two major flaws in Microsoft Office (CVE-2026-26113 and CVE-2026-26110) allow hackers to run their own malicious code on your computer just by having you view a rigged document in the “Preview Pane.” Jack Bicer, Director of Vulnerability Research at Action1, told TechRepublic that this is a high-priority issue.
Meanwhile, Mike Walters, president and co-founder of Action1, echoed this warning when discussing the second Office flaw, telling TechRepublic: “A single memory handling mistake inside Office can allow attackers to run their own code, turning an ordinary document into a potential system takeover… Even a single malicious document could compromise an endpoint and give attackers a foothold inside the organization.”
Excel and the AI Risk
If you use Microsoft’s new AI tools, you’ll want to pay extra attention to a bug in Excel (CVE-2026-26144). This “information disclosure” flaw could allow an attacker to trick Excel, specifically its Copilot Agent mode, into leaking sensitive data across a network without you knowing.
Additionally, Alex Vovk, CEO and Co-Founder of Action1, noted that such leaks are silent but deadly for businesses. “Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records. If exploited, attackers could silently extract confidential information from internal systems without triggering obvious alerts,” Vovk noted.
Public Zero-Days
Even though hackers weren’t using them yet, two flaws were publicly disclosed, meaning the blueprints for how to exploit them were already out in the open. CVE-2026-21262: A bug in SQL Server that lets someone with basic access quietly promote themselves to a sysadmin. CVE-2026-26127: A flaw in the .NET framework that could be used to remotely crash applications, effectively knocking services offline.
What You Should Do
For most of us, the advice remains the same: head to your Windows Update settings and click “Check for updates.” If you can’t update your Office apps immediately, security experts suggest disabling the Preview Pane in your file explorer as a temporary shield against those malicious document attacks.
Finally, it’s essential to stay informed about the latest cybersecurity threats and best practices. Subscribe to our Cybersecurity Insider Newsletter to stay up-to-date on the latest news and solutions.
Frequently Asked Questions
- What is the focus of Microsoft’s March Patch Tuesday? The focus is on fixing nearly 80 vulnerabilities in Office and SQL Server.
- What is the most severe bug of the month? The most severe bug is CVE-2026-21536, which affects the Microsoft Devices Pricing Program and was discovered by an autonomous AI agent called XBOW.
- How can I protect myself from malicious document attacks? Disable the Preview Pane in your file explorer as a temporary shield until you can update your Office apps.
- What is the risk of using Microsoft’s new AI tools in Excel? The risk is that an attacker could trick Excel into leaking sensitive data across a network without your knowledge.
- How can I stay informed about the latest cybersecurity threats and best practices? Subscribe to our Cybersecurity Insider Newsletter to stay up-to-date on the latest news and solutions.








