Microsoft’s Patch Tuesday for March Fixes Two Zero-Day Vulnerabilities

Microsoft released its March Patch Tuesday update on Tuesday, March 10. The company releases an update on the first Tuesday of every month, which contains all of the security patches it developed since the last update. This time around, the update is particularly important, as Microsoft included patches for two zero-days.

Bleeping Computer compiled all of the patches Microsoft issued with this latest Patch Tuesday. As you can see from their reporting, the two zero-days are far from the only vulnerabilities patched here. The update patches at last 84 vulnerabilities, including the following:

• 46 Elevation of Privilege Vulnerabilities
• 2 Security Feature Bypass Vulnerabilities
• 18 Remote Code Execution Vulnerabilities
• 10 Information Disclosure Vulnerabilities
• 4 Denial of Service Vulnerabilities
• 4 Spoofing Vulnerabilities

Of course, the most important of these patches are the two zero-days. Zero-days are vulnerabilities that are either disclosed or actively exploited before a patch is issued. The two zero-days here aren’t the worst case scenario, luckily: According to Microsoft, neither vulnerability is actively exploited. That means users have a chance to install the patch before bad actors can figure out how to exploit the vulnerabilities.

The two zero-days are as follows:

• CVE-2026-21262: SQL Server Elevation of Privilege Vulnerability: “Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.”
• CVE-2026-26127: .NET Denial of Service Vulnerability: “Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.”