Microsoft Patch Tuesday March 2026: 79 Flaws, 2 Zero-Days, SQL Server Escalation and Excel Data Leak

Microsoft released its March 2026 Patch Tuesday security update on March 11, fixing 79 vulnerabilities across Windows, Office, SQL Server, and Microsoft Copilot-integrated products. Two vulnerabilities were publicly disclosed before patches were available. None are confirmed as actively exploited — but two require immediate attention from developers and enterprise teams.

The Two Zero-Days

CVE-2026-21262 — SQL Server Privilege Escalation (CVSS 8.8)

An authenticated attacker with a low-privilege SQL Server account can escalate to sysadmin-level privileges without any additional user interaction. The attack is network-accessible: it does not require local access to the server.

This affects SQL Server 2019 and SQL Server 2022 on all supported Windows versions. If your application uses SQL Server with connection strings that include low-privilege accounts — which is correct practice — those accounts can be used to escalate if an attacker gains access to the database connection.

Patch immediately. Any internet-facing application with a SQL Server backend should treat this as urgent. Even internal-only applications are at risk if an attacker gains a foothold elsewhere in the network.

CVE-2026-26127 — .NET Denial of Service

A crafted request to a .NET application can cause the application to stop responding entirely. No authentication required. The attack is remotely exploitable from the network.

Affected: .NET 8, .NET 9. Applications running on Azure App Service, IIS, and self-hosted .NET web servers are all in scope. The DoS can be triggered repeatedly, meaning an attacker can keep a patched-but-not-yet-updated application down indefinitely once they identify it is vulnerable.

If you run .NET web applications, update your runtime and redeploy. Azure App Service will apply the patch automatically if you have automatic updates enabled — verify your settings.

The Excel Information Disclosure Flaw (CVE-2026-26144)

This one is the most unusual vulnerability in the batch and warrants separate attention.

CVE-2026-26144 is an XSS-class information disclosure flaw in Microsoft Excel. A malicious spreadsheet with crafted formulas or embedded objects can trigger the flaw when opened, exposing sensitive cell data to an attacker. In enterprise environments where Excel stores financial models, employee records, pricing sheets, and customer data, information disclosure without code execution is a serious threat.

This is not a remote code execution flaw. No arbitrary code runs on the victim's machine. The risk is data leakage — the contents of the spreadsheet being accessible to an attacker who controls the malicious file's call-home destination.

For organisations running Microsoft 365 with Copilot enabled, the attack surface is wider: any Excel integration that feeds spreadsheet data into Copilot's context could amplify the scope of what is accessible if the flaw is triggered.

Who is at risk: Any user who opens untrusted Excel files — particularly finance teams, HR, and operations teams whose spreadsheets contain sensitive data.

Mitigation: Apply the March 2026 Patch Tuesday Office update through Windows Update or your organisation's patch management system. Do not open Excel files from untrusted sources until patched.

The Office Preview Pane RCEs

Two Office remote code execution vulnerabilities — CVE-2026-26130 and CVE-2026-26131 — can be triggered through the Outlook preview pane. A user does not need to open a Word or Excel attachment. Previewing it in Outlook is sufficient to trigger code execution.

This attack surface has been exploited in the wild before — the 2021 MSHTML zero-day used a similar preview-pane vector. While these two CVEs are not yet confirmed as exploited in the wild, the preview pane vector has a history of being weaponised quickly.

Mitigation: Disable the preview pane in Outlook until patches are deployed. In Outlook: View menu, then Turn Off Reading Pane. This is a temporary measure — the permanent fix is applying the March Patch Tuesday update.

Patching Checklist for Developers and IT Teams

Priority order for this month:

• SQL Server 2019 / 2022 — patch CVE-2026-21262 immediately
• .NET 8 / .NET 9 applications — update runtime, redeploy
• Microsoft 365 / Excel — apply March 2026 Office update via Windows Update or patch management
• Outlook desktop clients — apply the Office update to patch preview-pane RCEs
• Windows systems broadly — standard monthly patch cycle

The Pattern Worth Noting

The Excel Copilot vulnerability reflects an emerging class of AI-integration security flaw: the AI feature becomes an unintended data channel. As Copilot, Gemini Workspace, and Claude for Enterprise are integrated more deeply into productivity applications, the attack surface for data exfiltration via AI-mediated document analysis grows alongside it.

Developers and security teams integrating AI features into enterprise applications need to model this threat surface explicitly. AI features that have read access to sensitive documents can, if compromised, exfiltrate that data in ways that traditional DLP tools are not designed to detect.

Apply March's patches. Watch the Copilot vulnerability category — it will not be the last one.