Microsoft Patch Tuesday March 2026: 93 Critical Vulnerabilities Fixed

Microsoft Patch Tuesday March 2026: 93 Critical Vulnerabilities Fixed

Microsoft Patch Tuesday March 2026: 93 Critical Vulnerabilities Fixed

Microsoft’s March 2026 Patch Tuesday update addresses 93 security vulnerabilities, including 9 critical flaws in Microsoft Edge’s Chromium components. With 8 of these rated as critical, this update demands immediate attention from IT teams and developers. Let’s break down the key issues and why you should prioritize these patches.

Why This Update Matters

Microsoft’s latest round of fixes includes vulnerabilities that could allow remote code execution, privilege escalation, and denial-of-service attacks. Notably, 2 vulnerabilities were disclosed prior to this update but remain unexploited—highlighting the importance of proactive patching. The update also resolves issues in Azure services, Office applications, and .NET frameworks.

Critical Vulnerabilities Addressed

1. Remote Code Execution in Microsoft Devices Pricing Program

CVE-2026-21536 is a critical remote code execution flaw in Microsoft’s cloud-based Devices Pricing Program. Discovered by AI platform XBOW, this vulnerability could allow attackers to execute arbitrary code. Microsoft has already deployed the fix in its cloud environment.

2. Privilege Escalation in SQL Server

CVE-2026-21262 enables authenticated users to escalate privileges to sysadmin in SQL Server. This flaw could grant attackers full control over databases, making it a high-priority fix for enterprises relying on Microsoft’s database systems.

3. Excel and Office Vulnerabilities

  • CVE-2026-26113/10/144: Multiple critical flaws in Excel and Office applications could lead to remote code execution or information disclosure.
  • Microsoft rates these as critical due to their potential for exploitation via malicious documents.

Notable Disclosed Vulnerabilities

Two vulnerabilities were disclosed before this update but remain unexploited:

  • CVE-2026-26127: A .NET denial-of-service flaw caused by an out-of-bounds read. No authentication required.
  • CVE-2026-26131: An elevation-of-privilege issue in .NET with a CVSS score of 7.8.

Chromium and Azure Updates

Microsoft Edge users should note 9 Chromium-related fixes, including:

  • Integer overflow issues in ANGLE and Skia (CVE-2026-3536/3538).
  • Heap buffer overflow in WebCodecs (CVE-2026-3544).

Azure services also received critical patches, such as:

  • CVE-2026-23651: A privilege escalation flaw in Azure Confidential Containers.
  • CVE-2026-26124: A critical elevation-of-privilege issue in Azure MCP Server Tools.

What You Should Do Now

  1. Apply Updates Immediately: Use Windows Update or Microsoft Endpoint Manager to deploy patches.
  2. Review Affected Systems: Check for Office, SQL Server, and Azure workloads requiring urgent fixes.
  3. Monitor for Exploits: Track Microsoft’s security advisories for any post-patch activity.

Conclusion

Microsoft’s March 2026 Patch Tuesday is one of the largest updates of the year, addressing 93 vulnerabilities across critical systems. By prioritizing these fixes, organizations can mitigate risks from both known and emerging threats. Don’t delay—apply these patches today to protect your infrastructure from potential exploits.