Microsoft Patchday: Two zero-days and 83 new vulnerabilities patched

In March 2026, Microsoft will have updates for 83 new vulnerabilities ready for the Patchday. Two of the vulnerabilities are zero-day vulnerabilities. So far, none of them have apparently been exploited in attacks on the internet.

Microsoft itself lists all vulnerability entries that the company published on the March Patchday in an overview. The developers classify eight of them as critical threats – largely deviating from the often significantly lower risk assessment according to CVSS value.

Microsoft addresses zero-day vulnerabilities

According to Microsoft, information about a vulnerability in SQL Server that allows privilege escalation (CVE-2026-21262, CVSS 8.8, risk "high") and a denial-of-service vulnerability in .Net (CVE-2026-26127, CVSS 7.5, risk "high") is already publicly available. However, they have not yet been attacked, and Microsoft assesses the situation as unlikely to be exploited.

The developers in Redmond classify vulnerabilities in Microsoft's "ACI Confidential Containers" in Azure as a critical risk. Attackers can thus escalate their privileges or gain unauthorized access to information (CVE-2026-23651, CVE-2026-26124, both CVSS 6.7, risk "medium", and CVE-2026-26122, CVSS 6.5, risk "medium"); customers do not need to take any action, Microsoft has corrected the errors server-side. A security vulnerability in Microsoft's Device Pricing Program, through which attackers could inject and execute malicious code from the network (CVE-2026-21536, CVSS 9.8, risk "critical"), seems somewhat bizarre. The same applies to a vulnerability in Microsoft's Payment Orchestrator Service (CVE-2026-26125, CVSS 8.6, risk "high"). Microsoft has also closed this server-side and is only informing about it for transparency.

In Microsoft Office, two security vulnerabilities allow the injection of code from the network, for example by means of carefully prepared documents. Even displaying them in the preview window is sufficient (CVE-2026-26110, CVE-2026-26113, CVSS 8.4, risk "high"). In Excel, malicious actors can bypass the sandbox of the Copilot agent mode and thereby exfiltrate information to the network without authorization. This is a zero-click vulnerability (CVE-2026-26144, CVSS 7.5, risk "high").

Attackers can use manipulated network packets to make the Windows Print Spooler execute injected malicious code. However, they need at least low-level privileges on the target system for this (CVE-2026-23669, CVSS 8.8, risk "high"). Finally, Microsoft lists ten vulnerabilities in the Chromium project that are being closed with current Edge updates. Google already fixed these in Chrome last week. The updates for Windows bring Secureboot certificate updates for more devices and also for Windows 10 systems, among others.

Various other security vulnerabilities affect numerous products and services from the Microsoft portfolio. IT managers should therefore review Microsoft's overview and update vulnerable products used in their own organization.

In February, Microsoft had to close several security vulnerabilities on the Patchday that were already being attacked on the internet. Six of the security vulnerabilities closed there were already being exploited by criminals before the Patchday.

(dmk)