March 2026 brings 84 vulnerabilities of Microsoft and a wave of already disseminated privileges and failures

Microsoft has published its usual ration of security updates and, as usual, brings with it a mix of urgent patches and problems that should be closely monitored. In this range there are 84 corrected vulnerabilities in different components, of which. Among the failures are a high percentage of bugs that allow to climb privileges, several remote code execution problems and a couple of failures already reported publicly, that is, they could be on the radar of attackers.

The official Microsoft list summarizes the set of corrections and is the starting point for any administrator who has to prioritize deployment: March 2026 patch guide. In addition, since the February update, vulnerabilities in Edge based on Chromium have been addressed; Microsoft details these corrections in the browser version notes: Microsoft Edge security notes.

Among the vulnerabilities already reported publicly are two that should be noted first. One is a denial of service failure at .NET CVE-2026-26127, and the other is an elevation of privileges in SQL Server CVE-2026-21262. Both have relevant gravity scores and must be part of immediate evaluation in corporate environments.

A striking finding of this cycle is a remote execution vulnerability with the highest score recorded this month: CVE-2026-21536, related to the Microsoft Devices Pricang Program and with a CVSS score close to the maximum. Microsoft indicates that this problem has already been completely mitigated, so users do not have to take additional measures in their environments, but the origin of the discovery is interesting: the detection was attributed to a vulnerability discovery platform driven by artificial intelligence called XBOW.

More worrying, because of its frequency and the type of use the attackers make, is the huge proportion of privilege climbing errors: almost half of the corrected failures belong to this category. Experts from security companies have stressed that these bugs are especially valuable for malicious actors because they are often used in the post-commitment phase, that is, once they have already been able to enter the system by another means. The vectors affected this month include Windows graphic components, accessibility infrastructure, system core, SMB server and critical processes such as Winlogon.

The problem in Winlogon deserves a section of its own. Vulnerability CVE-2026-25187 allows a local attacker with reduced permissions to take advantage of a link tracking behavior in the Winlogon process to obtain SYSTEM privileges. External researchers were recognized by Microsoft's report for identifying this failure, and analysts point out that its operating complexity is low and that it does not require user interaction, making it a direct target if an attacker already has initial access to the team.

Another relevant case affects Microsoft's IA and cloud cell: a Server-Side Request Forgery (SSRF) vulnerability in the Azure Model Context Protocol (MCP) Server, CVE-2026-26118. In essence, an MCP server that accepts user-provided parameters could be induced to make a outgoing request to an attacker-controlled URL, and in that process could include the managed identity of the service. If that token is exposed, an attacker could act with the permits associated with that identity and move laterally or access authorized resources for the service concerned. The combination of services managed by identities and outbound calls makes these types of failures especially expensive in cloud environments.

A problem of information dissemination in Excel, identified as CVE-2026-26144, which occurs by an inadequate neutralization of entries when generating web pages. Microsoft warns that, exploited under certain conditions, it could cause the Copilot Agent mode to exfilter data without user interaction. In companies where spreadsheets contain financial data or intellectual property, such failures can have serious consequences because they allow silent leaks from sources that employees use daily.

In the face of all this, practical recommendations are not surprising, but urgent: update critical systems as soon as possible, prioritizing the patches that correct the steps of privileges and the publicly disseminated failures. In addition to applying updates, it is appropriate to review the use of managed identities and applications that make calls to external resources, limit privileges to the minimum necessary and monitor unusual activity that may indicate side movements after initial access.

In parallel to the patches, Microsoft has announced a behavior change in Windows Autopatch: from the May 2026 update, the option to apply security hotpatches will be activated by default on eligible devices managed from Microsoft Intune or through the Microsoft Graphh API. According to the company, allowing the installation of patches without waiting for a reboot can speed up the compliance rate to 90% in the middle of the time. The explanation and scope of this measure are available on Microsoft's official IT Pro blog: Microsoft explains the change in Windows Autopatch. Activating these mechanisms can help organizations close exposure windows, but it should always be done after the necessary tests in controlled environments.

At the end of the day, this patching cycle reminds us of two things that have already become common in cybersecurity: privilege climbing vulnerabilities remain a key tool for attackers, and the rapid application of patches is the most efficient defense to stop their exploitation. If you manage Windows systems or services in Azure, it is appropriate to review the official guides, plan the distribution of updates and combine that action with access control and continuous monitoring measures.

To read the technical chips and details of each vulnerability, the primary source is Microsoft's security guide where they are individually documented: March 2026 patch page. If you manage Edge, also check the browser specific notes at: Edge's security notes. And if you need to check each entry for your identifier, Microsoft publishes individual pages for each CVE, for example CVE-2026-26127, CVE-2026-21262, CVE-2026-21536, CVE-2026-25187, CVE-2026-26118 and CVE-2026-26144. Keeping up with these sources is the best way to reduce risks in business and domestic infrastructure alike.