Philip Odjidja
Vulnerability Engineer
Philip Odjidja Linked In
Microsoft
Microsoft patched 84 CVEs in its March 2026 Patch Tuesday release, with eight rated critical and 76 rated as important. 46 of the patched vulnerabilities relate to privilege escalation, followed by 18 remote code executions, 10 information disclosures, four spoofing, four denial of service, and two security feature bypass flaws.
The fixes are in addition to 10 vulnerabilities that have been addressed in its Chromium-based Edge browser since the release last month.
Zero-Day Vulnerabilities
CVE-2026-26127 is a high severity Denial of service vulnerability affecting Microsoft.NETwith a CVSS score of 7.5. This flaw occurs because .NET performs improper bounds checking, allowing memory to be read outside the intended buffer. This can cause the runtime or application to crash. The software affected are Microsoft .NET 9.0 and 10.0. Microsoft currently assesses exploitation as unlikely, and there are no public exploits reported yet.
CVE-2026-21262 is a high severity Elevation of Privilege (EoP) vulnerability affecting Microsoft SQL Server. This flaw occurs because SQL Server incorrectly enforces access control rules, allowing a user with limited permissions to escalate privileges. CVE-2026-26115 and CVE-2026-26116 are also EoP vulnerabilities affecting Microsoft SQL Server. Each of these flaws received a CVSSv3 score of 8.8. Each of these were assessed as “Exploitation Less Likely” and no exploitation has been reported by Microsoft. However, a successful exploit of any one of these three flaws would result in an attacker gaining SQL sysadmin privileges.
Critical
CVE-2026-26110 and CVE-2026-26113 are remote code execution (RCE) vulnerabilities affecting Microsoft Office. Both vulnerabilities have a CVSS v3 score of 8.4 and are classified as critical. An attacker without authentication could exploit these flaws to execute code locally on a vulnerable system. Microsoft also indicates that the Preview Pane may serve as a potential attack vector for these vulnerabilities. However, both flaws are currently assessed by Microsoft as “Exploitation Less Likely.”
CVE-2026-21536 is a remote code execution (RCE) vulnerability affecting the Microsoft Devices Pricing Program. The flaw allows an attacker to execute arbitrary code on affected systems over the network without authentication or user interaction. Microsoft has been fully mitigated, and no action is required from users. The vulnerability has a CVSS v3 score of 9.8.
Important
CVE-2026-26118 is an Elevation of Privilege vulnerability affecting the Azure Model Context Protocol (MCP) Server. The flaw can be exploited by sending specially crafted input to a vulnerable Azure MCP Server that processes user supplied parameters. If successfully exploited, the attacker could use a compromised managed identity token to gain elevated privileges within the environment. The vulnerability has a CVSS v3 score of 8.8.
CVE-2026-24287, CVE-2026-24289, and CVE-2026-26132 are Elevation of Privilege (EoP) vulnerabilities affecting the Windows Kernel. Each vulnerability has a CVSS v3 score of 7.8 and is classified as Important. A local, authenticated attacker could exploit these flaws to obtain SYSTEM-level privileges on a vulnerable system. Although Microsoft has reported no evidence of active exploitation, CVE-2026-24289 and CVE-2026-26132 have been assessed as “Exploitation More Likely.” With these updates, a total of six Windows Kernel EoP vulnerabilities have been patched so far this year.
Recent updates from other Vendors
Adobe
Adobe released its March 2026 security updates as part of the monthly patch cycle, addressing 80 vulnerabilities across multiple Adobe products. These updates include 21 critical vulnerabilities, many of which could lead to remote code execution (RCE) or privilege escalation if exploited.
Affected Products
Adobe Commerce / Magento Open Source
Adobe Acrobat and Acrobat Reader
Adobe Experience Manager (AEM)
Adobe DNG Software Development Kit (SDK)
Cisco
Cisco released a major batch of security advisories addressing 48 vulnerabilities across firewall and networking products, including two critical CVE-2026-20079 an Authentication Bypass vulnerability and CVE-2026-20131 Remote Code Execution vulnerability both with CVSS 10.0 .
Key affected product families include:
Cisco Secure Firewall Management Center (FMC)
Cisco Secure Firewall Adaptive Security Appliance (ASA)
Cisco Secure Firewall Threat Defense (FTD)
Fortinet
Fortinet released security advisory for March 2026 covering 11 vulnerabilities across several products.
Affected products
FortiManager
FortiAnalyzer
FortiSandbox
FortiSwitchAX
Ivanti
Ivanti addressed its March 2026 vulnerabilities by releasing patched software releases (EPM 2024 SU5 and EPMM RPMs). CVE‑2026‑1603 and CVE‑2026‑1602. Ivanti also took urgent action to mitigate two critical remote code execution (RCE) vulnerabilities CVE‑2026‑1281 and CVE‑2026‑1340 in Ivanti Endpoint Manager Mobile (EPMM) that were actively exploited in the wild.
SAP
SAP Security Patch Day on March 10, 2026, delivered 15 new security notes There are no updates to previously released patch day security notes.
VMware
VMware released security advisories in this patch window addressing distinct flaws in VMware Aria Operations, a critical RCE, stored XSS, and privilege escalation.
Applying the latest security updates promptly is critical for staying protected against emerging threats. Timely patching reduces exposure to known vulnerabilities and helps prevent potential exploits.