Microsoft on Tuesday announced patches for 83 vulnerabilities affecting its products.
While none of the bugs have been flagged as exploited, two of them have been publicly disclosed, Microsoft’s advisories reveal.
These include CVE-2026-26127, a denial-of-service (DoS) issue in .NET, and CVE-2026-21262, an elevation of privilege defect in SQL Server.
“These bugs are more bark than bite. The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited,” Tenable researcher Satnam Narang points out.
Microsoft’s March 2026 Patch Tuesday updates resolve a single critical-severity flaw, namely CVE-2026-21536 (CVSS score of 9.8), a remote code execution weakness in Devices Pricing Program that has already been fully mitigated by the tech giant.
“There is no action for users of this service to take. The purpose of this CVE is to provide further transparency,” the company notes.
Another security defect that stands out is CVE-2026-26118, an elevation of privilege issue in Azure MCP Server Tools that could be exploited by sending specially crafted input to a server tool that accepts user-supplied parameters.
“If the attacker can interact with the MCP‑backed agent, they can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, may include its managed identity token. This allows the attacker to capture that token without requiring administrative access,” Microsoft notes.
Narang says that the privilege escalation bugs in Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon may require attention, as such vulnerabilities are often exploited following initial access.
According to Fortra associate director Tyler Reguly, users should also pay attention to five Azure security defects addressed this month.
These include an elevation of privilege issue in Azure Linux Virtual Machines (CVE-2026-23665), and one spoofing and three information disclosure flaws in Azure IoT Explorer (CVE-2026-26121, CVE-2026-23661, CVE-2026-23662, and CVE-2026-23664).
These bugs, Reguly points out, require non-standard patching mechanisms, which may require additional effort from IT teams.
“CSOs should ensure that they have solid asset inventories around the deployment of cloud-related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this,” Reguly said.
Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium).
On Tuesday, Adobe announced the rollout of patches for 80 vulnerabilities across its products, including high-severity flaws in Adobe Commerce.
Related: SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities
Related: Recent Ivanti Endpoint Manager Flaw Exploited in Attacks
Related: CISA Warns of Exploited SolarWinds, Notepad++, Microsoft Vulnerabilities
Related: Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
