Vulnerabilities Microsoft Patches 83 Vulnerabilities Microsoft has fixed a critical vulnerability, but none of the flaws fixed this Patch Tuesday has been exploited in the wild. By Ionut Arghire | March 10, 2026 (3:12 PM ET) Flipboard Reddit Whatsapp Whatsapp Email Microsoft on Tuesday announced patches for 83 vulnerabilities affecting its products. While none of the bugs have been flagged as exploited, two of them have been publicly disclosed, Microsoft’s advisories reveal. These include CVE-2026-26127, a denial-of-service (DoS) issue in .NET, and CVE-2026-21262, an elevation of privilege defect in SQL Server. “These bugs are more bark than bite. The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited,” Tenable researcher Satnam Narang points out. Microsoft’s March 2026 Patch Tuesday updates resolve a single critical-severity flaw, namely CVE-2026-21536 (CVSS score of 9.8), a remote code execution weakness in Devices Pricing Program that has already been fully mitigated by the tech giant. “There is no action for users of this service to take. The purpose of this CVE is to provide further transparency,” the company notes. Advertisement. Scroll to continue reading. Another security defect that stands out is CVE-2026-26118, an elevation of privilege issue in Azure MCP Server Tools that could be exploited by sending specially crafted input to a server tool that accepts user-supplied parameters. “If the attacker can interact with the MCP‑backed agent, they can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, may include its managed identity token. This allows the attacker to capture that token without requiring administrative access,” Microsoft notes. Narang says that the privilege escalation bugs in Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon may require attention, as such vulnerabilities are often exploited following initial access. According to Fortra associate director Tyler Reguly, users should also pay attention to five Azure security defects addressed this month. These include an elevation of privilege issue in Azure Linux Virtual Machines (CVE-2026-23665), and one spoofing and three information disclosure flaws in Azure IoT Explorer (CVE-2026-26121, CVE-2026-23661, CVE-2026-23662, and CVE-2026-23664). These bugs, Reguly points out, require non-standard patching mechanisms, which may require additional effort from IT teams. “CSOs should ensure that they have solid asset inventories around the deployment of cloud-related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this,” Reguly said. Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium). On Tuesday, Adobe announced the rollout of patches for 80 vulnerabilities across its products, including high-severity flaws in Adobe Commerce. Related: SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities Related: Recent Ivanti Endpoint Manager Flaw Exploited in Attacks Related: CISA Warns of Exploited SolarWinds, Notepad++, Microsoft Vulnerabilities Related: Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Escape Raises $18 Million to Automate Pentesting Recent Ivanti Endpoint Manager Flaw Exploited in Attacks ClickFix Attack Uses Windows Terminal to Evade Detection Internet Infrastructure TLD .arpa Abused in Phishing Attacks Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign Over 100 GitHub Repositories Distributing BoryptGrab Stealer ArmorCode Raises $16 Million for Exposure Management Platform CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List Latest News Adobe Patches 80 Vulnerabilities Across Eight Products Jazz Emerges From Stealth With $61M in Funding for AI-Powered DLP Kai Emerges From Stealth With $125M in Funding for AI Platform Bridging IT and OT Security Webinar Today: Securing Fragile OT in an Exposed World SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities Thousands Affected by Ericsson Data Breach OpenAI Rolls Out Codex Security Vulnerability Scanner Kevin Mandia’s Armadin Launches With $190 Million in Funding Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Ed Jennings has been appointed President and CEO at Darktrace. Ironscales has appointed Steven Malone as CSO and Amit Bluman as SVP of Research & Development. Synack has appointed Angela Heindl-Schober Chief Marketing Officer. More People On The Move Expert Insights SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email