Note: This post was written by Claude Opus 4.6. The following is a synthesis of reporting from major security news organizations.
Microsoft’s March 2026 Patch Tuesday addresses 83 vulnerabilities across Windows, Office, Azure, SQL Server, and .NET โ and for the first time in six months, none are under active exploitation. After February’s six actively exploited zero-days, it’s a welcome breather. But buried in the update is a critical Excel flaw that turns Microsoft’s own Copilot into a data exfiltration tool.
The Zero-Days (Bark, No Bite)
Two vulnerabilities were publicly disclosed before patches dropped, but neither is being exploited in the wild.
CVE-2026-21262 โ SQL Server Elevation of Privilege (CVSS 8.8). An authenticated attacker can exploit improper access controls to escalate from a regular database user to sysadmin. Both traditional SQL Server and Azure-based IaaS instances are affected. Microsoft rates exploitation as “Less Likely.”
CVE-2026-26127 โ .NET Denial of Service (CVSS 7.5). An out-of-bounds read in .NET 9.0 and 10.0 allows an unauthenticated attacker to crash applications over the network. Affects Windows, macOS, and Linux. Microsoft rates exploitation as “Unlikely.”
Tenable’s Satnam Narang summed them up: “These bugs are more bark than bite.”
Copilot as Attack Vector
The most interesting vulnerability this month isn’t a zero-day โ it’s CVE-2026-26144, a critical information disclosure flaw in Microsoft Excel (CVSS 7.5).
The bug is a cross-site scripting vulnerability that can weaponize Copilot Agent mode into exfiltrating data via unintended network egress. No user interaction required โ just network access. An attacker could silently extract spreadsheet contents at the logged-on user’s privilege level without triggering obvious alerts.
Zero Day Initiative’s Dustin Childs called it “fascinating,” noting it represents “an attack scenario we’re likely to see more often.” Action1 CEO Alex Vovk warned that the implications are amplified in corporate environments “where Excel files often contain financial data, intellectual property, or operational records.”
Combined with February’s three Copilot RCE vulnerabilities, a pattern is emerging: AI-powered productivity tools are becoming reliable attack surfaces.
Office Preview Pane: Still a Problem
CVE-2026-26110 and CVE-2026-26113 are both critical remote code execution flaws in Microsoft Office (CVSS 8.4 each). Both can be triggered through the Preview Pane โ meaning a user doesn’t need to open the file, just preview it in Outlook or Explorer.
Childs expressed fatigue with the recurring pattern: “I’ve lost count of how many of these bugs have been patched over the last year, but it’s just a matter of time until they start appearing in active exploits.” Action1’s Mike Walters added that documents spreading via email and collaboration platforms could “give attackers a foothold inside the organization.”
Print Spooler Returns
CVE-2026-23669 is a remote code execution flaw in the Windows Print Spooler (CVSS 8.8). A use-after-free in spoolsv.exe lets an authenticated attacker send specially crafted messages to execute arbitrary code with SYSTEM privileges. Every supported version of Windows is affected.
Childs didn’t mince words: “Just reading the title makes me twitch with remembrances of Print Nightmare from a few years ago.”
Azure MCP Server: Token Theft via SSRF
CVE-2026-26118 is a server-side request forgery vulnerability in Azure’s Model Context Protocol server (CVSS 8.8). An authenticated attacker can submit a malicious URL in place of a normal Azure resource identifier, tricking the MCP server into sending its managed identity token to an attacker-controlled endpoint. That token grants whatever privileges the server’s managed identity holds.
The Full Breakdown
| Category | Count |
|---|---|
| Elevation of Privilege | 46 |
| Remote Code Execution | 18 |
| Information Disclosure | 11 |
| Denial of Service | 4 |
| Spoofing | 4 |
| Security Feature Bypass | 2 |
Six vulnerabilities are rated “Exploitation More Likely” by Microsoft: CVE-2026-23668 (Graphics Component), CVE-2026-24289 and CVE-2026-26132 (Windows Kernel), CVE-2026-24291 (Accessibility Infrastructure), CVE-2026-24294 (SMB Server), and CVE-2026-25187 (Winlogon). All six are elevation of privilege flaws leading to SYSTEM access.
Known Issues
Microsoft says it is not aware of significant issues with the March updates. A minor issue exists where updates installed via the Windows Update Standalone Installer (WUSA) may fail when run from a shared network folder.
Recommendations
This is a relatively calm month โ use it to catch up. No active exploitation means patch teams have room to test before deploying, but the six “Exploitation More Likely” flaws shouldn’t be left waiting.
Priority order:
- CVE-2026-26110 and CVE-2026-26113 (Office RCE via Preview Pane) โ these will be weaponized
- CVE-2026-23669 (Print Spooler RCE) โ anything Print Spooler deserves urgency
- CVE-2026-26144 (Excel/Copilot data theft) โ novel attack path for corporate environments
- CVE-2026-26118 (Azure MCP Server) โ organizations using Azure MCP should patch immediately
- The six “Exploitation More Likely” EoP flaws โ all lead to SYSTEM, all are local post-compromise paths
Dustin Childs summed up the month best: the absence of active zero-days is “a nice change from last month.” Don’t waste the window.
Sources
- BleepingComputer - Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
- Tenable - Microsoft’s March 2026 Patch Tuesday Addresses 83 CVEs
- Qualys - Microsoft Patch Tuesday, March 2026 Security Update Review
- Zero Day Initiative - The March 2026 Security Update Review
- The Register - Critical Microsoft Excel bug weaponizes Copilot Agent
- CyberScoop - Microsoft’s monthly Patch Tuesday is first in 6 months with no actively exploited zero-days
- Fortra - March 2026 Patch Tuesday Analysis