Microsoft Patch Tuesday March 2026: 77 Vulnerabilities Fixed, Critical RCE in Office & Privilege‑Escalation in SQL Server
What Happened — Microsoft released its March 2026 Patch Tuesday, delivering fixes for 77 CVEs across Windows, Office, .NET, and SQL Server. The update includes high‑severity remote‑code‑execution bugs in Office preview panes and a privilege‑escalation flaw (CVE‑2026‑21262) that lets an attacker become a SQL Server sysadmin. No zero‑day exploits were disclosed, but several flaws are rated “exploitation more likely.”
Why It Matters for TPRM —
- Unpatched Microsoft stacks are a common entry point for supply‑chain attacks, jeopardizing any downstream vendor that runs Windows‑based workloads.
- High‑CVSS privilege‑escalation and RCE bugs can be leveraged to compromise internal networks, exposing data and services of third‑party partners.
- Contractual security clauses often require timely patching; failure to remediate quickly can constitute a breach of vendor obligations.
Who Is Affected — Enterprises of all industries that deploy Windows OS, Microsoft Office, SQL Server, .NET applications, and managed service providers (MSPs) hosting Windows workloads.
Recommended Actions —
- Prioritize deployment of patches for CVE‑2026‑21262 (SQL Server) and CVE‑2026‑26113 / CVE‑2026‑26110 (Office RCE).
- Verify patch rollout across all endpoints and servers within 48 hours; use automated patch management tools where possible.
- Update third‑party risk assessments to reflect the new vulnerability landscape and confirm that vendors meet patch‑compliance requirements.
Technical Notes —
- Attack vectors: remote‑code‑execution via malicious Office preview‑pane messages; privilege escalation via SMB, Winlogon, Accessibility Infrastructure, and SQL Server.
- CVSS scores range from 7.8 to 8.8; 55 % of the month’s CVEs are privilege‑escalation bugs.
- AI‑discovered CVE‑2026‑21536 in the Microsoft Devices Pricing Program was patched by Microsoft without end‑user action. Source: Krebs on Security