top of page
Search

Microsoft Patches 84 Flaws in April Patch Tuesday, Including Two Public Zero-Days

  • Mar 11
  • 2 min read

Key Findings


  • Microsoft released patches for 84 new security vulnerabilities affecting various software components

  • 8 vulnerabilities are rated Critical, and 76 are rated Important in severity

  • 46 of the patched vulnerabilities relate to privilege escalation, followed by 18 remote code execution, 10 information disclosure, 4 spoofing, 4 denial-of-service, and 2 security feature bypass flaws

  • 2 publicly disclosed zero-days are included:

  • CVE-2026-26127 (CVSS 7.5) - Denial-of-service vulnerability in .NET

  • CVE-2026-21262 (CVSS 8.8) - Elevation of privilege vulnerability in SQL Server

  • The vulnerability with the highest CVSS score (9.8) is a critical remote code execution flaw in the Microsoft Devices Pricing Program


Background


The March 2026 Patch Tuesday release from Microsoft addresses a wide range of vulnerabilities across the company's product portfolio, including Windows, enterprise platforms, and developer frameworks. The update resolves 84 unique security issues, with 8 classified as Critical and 76 as Important in severity.


Privilege Escalation Vulnerabilities Dominate


Over half (55%) of the patched vulnerabilities are related to privilege escalation, which are often used by threat actors for post-compromise activities after gaining an initial foothold on a system. Several of these flaws, affecting components like the Windows Kernel, SMB Server, and Winlogon, are categorized as "Exploitation More Likely" by Microsoft, indicating a higher risk of active exploitation.


Publicly Disclosed Zero-Days


This month's update includes two publicly disclosed zero-day vulnerabilities that were known before patches were available:


1. CVE-2026-26127 (CVSS 7.5) - A denial-of-service vulnerability in the .NET platform that could allow a remote attacker to trigger a crash.


2. CVE-2026-21262 (CVSS 8.8) - An elevation of privilege vulnerability in SQL Server that could let an authenticated attacker escalate to administrative (sysadmin) privileges.


While there is no evidence of active exploitation yet, security researchers warn that these flaws may be targeted by attackers now that details are public.


Critical Remote Code Execution Flaw


The vulnerability with the highest CVSS score (9.8) is CVE-2026-21536, a critical remote code execution flaw in the Microsoft Devices Pricing Program service. Microsoft has stated that this issue has been fully mitigated, and no user action is required.


Information Disclosure and AI Risks


Another notable issue is CVE-2026-26144, a critical information disclosure vulnerability in Excel that could lead to data exfiltration as part of a zero-click attack. This highlights the risks of information disclosure flaws, especially in environments where sensitive corporate data is stored in Excel files.


Broader Impact Across Microsoft's Portfolio


The March 2026 Patch Tuesday updates address vulnerabilities in a wide range of Microsoft products, including Windows components, SQL Server, Office, SharePoint, Azure, and more. This broad coverage makes the update essential for enterprise administrators managing Microsoft infrastructure and services.


Sources


  • https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html

  • https://hackread.com/microsoft-march-patch-tuesday-two-0-days-flaws/

  • https://www.linkedin.com/pulse/microsoft-february-2026-patch-tuesday-fixes-70-1mwuf

Recent Posts

See All
Claude Opus Generated a Chrome Exploit for $2,283

Key Findings Claude Opus 4.6 successfully generated a functional Chrome exploit chain for $2,283 in API costs across 2.33 billion tokens The exploit targeted Discord's bundled Chrome version 138, whic

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page