Microsoft on Tuesday rolled out fixes for 84 newly identified security vulnerabilities spanning multiple software components, including two flaws that were already publicly disclosed at the time of patching.
Of the total issues addressed, eight are rated Critical and 76 are classified as Important. Privilege escalation vulnerabilities account for the largest share, with 46 flaws, followed by 18 remote code execution, 10 information disclosure, four spoofing, four denial-of-service, and two security feature bypass issues.
These updates are in addition to 10 vulnerabilities that Microsoft has already remediated in its Chromium‑based Edge browser since the February 2026 Patch Tuesday release.
Publicly Disclosed Zero‑Days
The two publicly known zero‑day vulnerabilities fixed this month are:
- CVE-2026-26127 (CVSS 7.5) – A denial‑of‑service vulnerability affecting .NET
- CVE-2026-21262 (CVSS 8.8) – An elevation‑of‑privilege flaw in Microsoft SQL Server
The highest‑scoring vulnerability addressed in the March update is CVE-2026-21536 (CVSS 9.8), a critical remote code execution issue in the Microsoft Devices Pricing Program. Microsoft stated that this flaw has already been fully mitigated and requires no action from customers. The issue was discovered and responsibly disclosed by XBOW, an AI‑driven autonomous vulnerability research platform.
Privilege Escalation Dominates This Month’s Fixes
“This month, more than half about 55% of all Patch Tuesday CVEs were privilege escalation vulnerabilities,” said Satnam Narang, Senior Staff Research Engineer at Tenable. “Six of those were rated as more likely to be exploited and affect components such as the Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon.”
Narang noted that privilege escalation bugs are commonly leveraged by attackers during post‑compromise activity, after initial access is gained through social engineering or exploitation of other vulnerabilities.
One notable example is CVE-2026-25187 (CVSS 7.8), a Winlogon privilege escalation vulnerability that exploits improper link resolution to obtain SYSTEM‑level privileges. The flaw was reported by Google Project Zero researcher James Forshaw.
“The issue allows a locally authenticated, low‑privileged attacker to exploit a link‑following condition in the Winlogon process and elevate privileges to SYSTEM,” explained Jacob Ashdown, a cybersecurity engineer at Immersive. “It requires no user interaction and has low attack complexity, making it an attractive target once attackers gain a foothold.”
Azure MCP Server SSRF Vulnerability
Another significant vulnerability addressed this month is CVE-2026-26118 (CVSS 8.8), a server‑side request forgery (SSRF) flaw in the Azure Model Context Protocol (MCP) server. The issue could allow an authorized attacker to escalate privileges over the network.
Microsoft explained that an attacker could exploit the vulnerability by submitting specially crafted input to an MCP Server tool that accepts user‑supplied parameters. If the attacker can interact with an MCP‑backed agent, they may replace a legitimate Azure resource identifier with a malicious URL.
“The MCP Server then sends an outbound request to that URL and may include its managed identity token,” Microsoft said. “This could allow an attacker to capture the token without needing administrative privileges.”
If successfully exploited, the attacker could gain access to all permissions associated with the MCP Server’s managed identity and perform actions against any authorized Azure resources.
Critical Excel Information Disclosure Bug
Among the Critical‑severity issues fixed this month is CVE-2026-26144 (CVSS 7.5), an information disclosure vulnerability in Microsoft Excel. The flaw stems from improper input neutralization during web page generation, effectively resulting in a cross‑site scripting condition.
Microsoft warned that exploitation could cause Copilot Agent mode to exfiltrate data in a zero‑click attack scenario.
“Information disclosure vulnerabilities are particularly dangerous in enterprise environments where Excel files often contain financial data, intellectual property, or sensitive operational records,” said Alex Vovk, CEO and co‑founder of Action1. “If exploited, attackers could quietly extract confidential data without triggering obvious alerts. Organizations using AI‑assisted productivity tools may face increased exposure, as automated agents could unintentionally transmit sensitive information outside corporate boundaries.”
Windows Autopatch Changes
The Patch Tuesday release also coincides with Microsoft’s announcement of a change to Windows Autopatch. The company is enabling hotpatch security updates by default, allowing devices to receive security fixes without requiring a system restart.
“This change will roll out to all eligible devices managed through Microsoft Intune and those accessing the service via Microsoft Graph API starting with the May 2026 Windows security update,” Microsoft said. “Applying security fixes without waiting for a restart can help organizations reach 90% compliance in half the time, while maintaining full administrative control.”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
