Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days

On Tuesday, Microsoft released patches for 84 new security holes that affect different parts of its software. Two of these holes are already known to the public. Eight of these are rated as Critical, and 76 are rated as Important in terms of severity.

There are 46 patched vulnerabilities that allow privilege escalation, 18 that allow remote code execution, 10 that allow information disclosure, 4 that allow spoofing, 4 that allow denial-of-service, and 2 that allow security feature bypass. The fixes are in addition to the 10 security holes that have been patched in its Chromium-based Edge browser since the February 2026 Patch Tuesday update. CVE-2026-26127 (CVSS score: 7.5) is a denial-of-service vulnerability in .NET, and CVE-2026-21262 (CVSS score: 8.8) is an elevation of privilege vulnerability in SQL Server.

Alex Vovk, CEO and co-founder of Action1, said in a statement, "Information disclosure vulnerabilities are especially dangerous in corporate settings where Excel files often hold financial data, intellectual property, or operational records." "If attackers took advantage of this, they could steal private data from internal systems without setting off any obvious alarms. Companies that use AI-assisted productivity tools may be more vulnerable because automated agents could accidentally send sensitive information outside of the company's network."

Microsoft said that the patches are coming because it is changing how Windows Autopatch works by allowing hotpatch security updates to help keep devices safe more quickly.

Redmond said, "This change in default behavior will affect all eligible devices in Microsoft Intune and those who use the Microsoft Graph API to access the service starting with the May 2026 Windows security update." "Applying security fixes without waiting for a restart can get organizations to 90% compliance in half the time, and you stay in charge."