In Microsoft’s March 2026 Patch Tuesday release, it addresses 57 vulnerabilities, including issues affecting Windows, Microsoft Office, SQL Server and .NET.
Among the fixes are two publicly disclosed zero-day vulnerabilities, although neither is known to have been actively exploited at the time of release. As always, organisations should prioritise applying these updates promptly to reduce potential exposure.
When counting vulnerabilities for Patch Tuesday, only those released by Microsoft on the day itself are included. This total does not include fixes issued earlier in the month for Microsoft Edge, Azure services, Mariner, the Payment Orchestrator Service or the Microsoft Devices Pricing Program.
For organisations managing Windows environments, Microsoft has also released additional non-security updates as part of the monthly cumulative updates for Windows 11 (KB5079473 and KB5078883) and the Windows 10 extended security update (KB5078885).
Microsoft addressed two vulnerabilities that had already been publicly disclosed before patches were available. Microsoft classifies a zero-day as either publicly disclosed or actively exploited before an official fix is released.
This vulnerability affects Microsoft SQL Server and could allow an attacker with authorised access to escalate privileges to SQLAdmin level over a network due to improper access control.
The issue was identified by security researcher, who originally highlighted the weakness in his research into stored procedure permissions.
If exploited, attackers could potentially gain elevated database privileges, increasing the risk of data access, modification or further compromise within affected environments.
Microsoft also patched a denial-of-service vulnerability in .NET caused by an out-of-bounds read error.
An unauthorised attacker could exploit this issue over a network to disrupt application availability, potentially impacting services relying on affected .NET components.
The vulnerability was reported by an anonymous security researcher.
Two remote code execution vulnerabilities in Microsoft Office (CVE-2026-26110 and CVE-2026-26113) are particularly notable because they can be triggered through the Preview Pane.
This means that in some scenarios, simply previewing a malicious file could allow code execution without the user opening it directly.
Organisations using Office environments should prioritise these updates.
Another vulnerability of interest affects Microsoft Excel (CVE-2026-26144) and involves potential information disclosure through Microsoft Copilot.
If successfully exploited, an attacker could trigger Copilot Agent mode to exfiltrate sensitive information via unintended network connections, creating the possibility of a zero-click data exposure scenario.
Alongside Microsoft’s Patch Tuesday updates, several major technology vendors have released their own security advisories and fixes during March.
Regular patching remains one of the most effective ways to reduce cyber risk. Security teams should prioritise applying updates to:
Maintaining visibility across your infrastructure and applying updates quickly can significantly reduce the window of opportunity for attackers.
If you would like to view the full report for March 2026, click here.